Re-directs and Flase Virus alerts

Dell 3000
December 2, 2009 at 07:27:31
Specs: windows xp media, 1
OK-I've got the same thing it seems like everybody's getting. Virus that's not a virus. Mcafffe won't delete it or find it, ad-aware found generic JS but can't clean. Getting false virus pop ups and redirects. HELP!!!. Have downloaded Win32 Diag and run and it comes up real short and says not able to get backup permission. Ran RSIT and get a bunch. Should I post both here?

See More: Re-directs and Flase Virus alerts

Report •


#1
December 2, 2009 at 08:12:04
Please post both log and the following one.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#2
December 2, 2009 at 10:25:24
OK-here's the gmer results,.
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-02 12:25:43
Windows 5.1.2600 Service Pack 3
Running: s7f5nl4b.exe; Driver: C:\DOCUME~1\mike\LOCALS~1\Temp\pwtirpob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF86C887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF86C8BFE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF8A3B760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF74CBF80]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 82F31618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Report •

#3
December 2, 2009 at 11:02:36
Download SystemLook.exe from the following link.


SystemLook.exe


1. Double-click SystemLook.exe to run it.
2. Copy the content of the following code between the X's into the main textfield:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
:filefind
atapi*
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
3. Click the Look button to start the scan.
4. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Report •

Related Solutions

#4
December 2, 2009 at 12:07:42
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:06 on 02/12/2009 by mike (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\dell\ATAPI.EXE --a--- 28672 bytes [01:50 19/10/2005] [13:23 27/05/2004] 9C559E4CF8C3B2268818F1F6C6B1EE39
C:\i386\atapi.sys --a--- 95360 bytes [23:05 27/10/2005] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [11:54 02/11/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [20:09 22/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [03:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys --a--- 95360 bytes [01:58 19/10/2005] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-


Report •

#5
December 2, 2009 at 17:14:16
Please run the following command from the Command Prompt, to do so:

1. Click on Start then Run
2. Type cmd in to the area to the right of Open:
3. Click OK
4. In the Command Prompt window that opens, copy and paste the Bold text below:

copy C:\WINDOWS\ServicePackFiles\i386\atapi.dll C:\ /y

5. Press the Enter key on your keyboard.
6. If successful, you should receive the following message within the Command Prompt window:
1 file(s) copied
7.Exit the Command Prompt window.

Please run SystemLook again as you did in response #3 and post its log.


Report •

#6
December 3, 2009 at 05:41:49
Did that-it said"system cannot find the file specified".

Report •

#7
December 3, 2009 at 11:35:10
Did you have to type this in:

copy C:\WINDOWS\ServicePackFiles\i386\atapi.dll C:\ /y

If so the is a space after copy, atapi.dll and c:\ that is needed for the the command to work.


Report •

#8
December 3, 2009 at 13:51:20
Nope-copied and pasted the entire line. Tried it in several variations, still did nothing. Says no file.

Report •

#9
December 3, 2009 at 16:24:38
This is a different way of moving the file, just pay close attention to the directions.

Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.


1. Next navigate to C:\windows\system32\drivers
2. Reduce your screen size by clicking the double boxes at the top right of your screen so theat the desktop can be seen.
5. Now drag this file to the desktop:


atapi.dll

4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder. You may have to press F5 more than once.

5a. If a fresh copy is regenerated, reboot the machine

5b. If a fresh copy ISN'T regenerated, move the copy from Desktop back to its original location. <--- If you fail to perform this step you will render your computer unbootable!!!


Report •

#10
December 4, 2009 at 06:12:23
Went there-no file extension atapi.dll. Only atapi.sys.
By the way, if I search for ANYTHING virus related, the virus pro thing pops up and is a PITA!

Report •

#11
December 4, 2009 at 10:35:09
Look like I made a typo, should have been atapi.sys

Lets move it differently, I believe ComboFix will replace that file now>

Remember...your antivirus and any antispyware that you have must be turned off or disabled before you run ComboFix. There is a clickable link "This Link" in the ComboFix tutorial below that will help you get your antivirus and antispyware turned off/disabled.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#12
December 4, 2009 at 10:57:34
Will not let me save combofix as Combo-fix> says invalid file name.

Report •

#13
December 4, 2009 at 11:06:01
Try just Combofix.

Report •

#14
December 4, 2009 at 11:29:31
Do you want me to leave the ">" on the end?

Report •

#15
December 4, 2009 at 11:35:02
No. Also if you download it with internet explorer it will allow you to rename it to Combo-Fix. My opera and FoxFire would not. I would prefer that you rename it Combo-Fix if possible as it may make some difference on how it runs.

Report •

#16
December 4, 2009 at 12:56:09
ComboFix 09-12-03.06 - mike 12/04/2009 14:28.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.60 [GMT -6:00]
Running from: c:\documents and settings\mike\Desktop\Combo-Fix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-03 20:13 . 2009-12-03 20:13 -------- d-----w- c:\documents and settings\mike\Local Settings\Application Data\Threat Expert
2009-12-03 16:03 . 2009-12-03 20:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-02 15:21 . 2009-12-02 16:07 -------- d-----w- c:\program files\trend micro
2009-12-02 15:21 . 2009-12-02 15:22 -------- d-----w- C:\rsit
2009-11-30 01:24 . 2009-11-29 23:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-29 23:48 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-29 23:48 . 2009-11-29 23:48 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-29 23:48 . 2009-11-29 23:48 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-29 23:48 . 2009-11-29 23:48 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-29 23:48 . 2009-11-29 23:48 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-29 23:48 . 2009-11-29 23:48 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-29 23:48 . 2009-11-29 23:48 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-11-29 23:48 . 2009-11-29 23:48 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-29 23:48 . 2009-11-29 23:48 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-11-29 23:48 . 2009-11-29 23:48 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-11-29 23:48 . 2009-11-29 23:48 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-29 23:45 . 2009-11-29 23:45 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-29 23:45 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-27 22:26 . 2009-11-27 22:26 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-27 22:19 . 2009-11-27 22:19 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2009-11-27 22:18 . 2009-11-27 22:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-11-27 22:18 . 2009-11-27 22:24 -------- d-s---w- c:\documents and settings\Administrator
2009-11-08 20:31 . 2009-11-08 20:31 1408800 ----a-w- c:\documents and settings\mike\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-04 22:01 . 2009-11-04 22:01 152576 ----a-w- c:\documents and settings\mike\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 13:40 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-30 22:06 . 2005-10-22 21:05 31982 ----a-w- c:\documents and settings\mike\Application Data\wklnhst.dat
2009-11-29 23:48 . 2009-11-29 23:47 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-29 23:44 . 2005-10-22 17:28 -------- d-----w- c:\program files\Lavasoft
2009-11-29 22:25 . 2008-03-12 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-23 16:42 . 2008-12-06 16:21 -------- d-----w- c:\documents and settings\mike\Application Data\gtk-2.0
2009-11-08 20:32 . 2009-09-25 13:55 127325 ----a-w- c:\documents and settings\mike\Application Data\Move Networks\uninstall.exe
2009-11-08 20:32 . 2007-10-01 01:29 -------- d-----w- c:\documents and settings\mike\Application Data\Move Networks
2009-11-08 20:31 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\mike\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-04 22:03 . 2005-10-19 02:07 -------- d-----w- c:\program files\Java
2009-10-11 10:17 . 2009-01-28 12:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 13:55 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\mike\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-25 13:55 . 2009-09-25 13:55 1407680 ----a-w- c:\documents and settings\mike\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2009-08-30 16:40 815104 ----a-w- c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll" [2009-08-30 815104]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll" [2009-08-30 815104]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Walgreens PhotoShow Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-20 237568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-08-16 36864]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 135224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-19 98304]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-23 185896]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-24 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"36946:TCP"= 36946:TCP:lime wire
"36946:UDP"= 36946:UDP:limkewire

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/29/2009 5:48 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]
.
Contents of the 'Scheduled Tasks' folder

2009-12-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 23:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\mike\Application Data\Mozilla\Firefox\Profiles\yc7hk11r.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-Burn4Free Toolbar - c:\windows\Burn4Free_Toolbar_Uninstaller_9125.exe _?=c:\program files\Burn4Free Toolbar
AddRemove-PictureItPrem_v10 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe ADDREMOVE=1 SKU=PREM
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 14:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-12-04 14:56
ComboFix-quarantined-files.txt 2009-12-04 20:56

Pre-Run: 42,561,163,264 bytes free
Post-Run: 43,665,842,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0BBD3FC81102BFB73B60208F5639EA9C


Report •

#17
December 4, 2009 at 13:20:54
That looks much better, are you still being redirected? I see that LimeWire has some ports open...may be the cause of you grief. These port would be unprotected with no restrictions on what goes in and out of your computer. I suggest that you uninstall LimeWire but thats up to you.

If you are not being redirected there is some clean-up to do.

Delete Gmer and SystemLook from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.


Report •

#18
December 4, 2009 at 13:56:32
It APPEARS that everythings running again. Can't thank you enough. You guys are great. Downloaded spyblaster too. Hope it helps. Mike.

Report •

#19
December 4, 2009 at 15:06:28
Glad we could help.

Report •


Ask Question