Search Links Redirected & Rogue Adware

Sony / Pcg-k37(uc)
December 20, 2009 at 21:28:55
Specs: Microsoft Windows XP Professional, 3.189 GHz / 958 MB
Clicking on any search links from Google or Yahoo! will automatically be redirected to an unrelated page for advertisement purpose.

Often, a warning will pop up with the message, "Warning! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti-virus check! System Security will perform a quick and free scanning of your PC for viruses and malicious programs." Then, a new window will pop up and show a scanning of the PC.

Please help!


See More: Search Links Redirected & Rogue Adware

Report •


#1
December 21, 2009 at 06:05:23
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

You may need to download the to a usb drive or cd and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.

If nothing happens or if the tool does not run, please let me know in your next reply.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download RootRepeal from one of the links on the rootrepeal download page. It can be downloaded as a .rar or .zip file which ever you like. If you get a bandwidth problem notice just try another link.


RootRepeal

Extract the RootRepeal.exe file from the RAR or ZIP and save the EXE file to your Desktop.
Disable your antivirus, antispyware, and firewalls before continuing or they may block RootRepeal from running properly.
Now run the RootRepeal.exe program by double clicking on it.
On the botton click the Files tab and then click the Scan button
A Select Drives form will open. Select all of your drives by checking the boxes and then click ok.
It will start scanning. It may take a while to finish depending on how many drives, files and folder you have so be patient and wait on it.
When it finishes click “save report” and save at a easy place to locate such as your desktop. Save it as Rrlog.txt.
Place post the log that was produced to the forum.


Report •

#2
December 21, 2009 at 18:50:23
Dear jabuck,

Many thanks for your help.

1. Contents of "exehelperlog.txt"
--------------------------------------------------------------------------------
exeHelper by Raktor
Build 20091220
Run at 18:09:07 on 12/21/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
--------------------------------------------------------------------------------

2. "rkill" was successfully executed

3. Contents of "RSIT" logs:

http://rapidshare.com/files/3241898...
http://rapidshare.com/files/3241898...

4. Contents of "Rrlog.txt"
--------------------------------------------------------------------------------
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/21 18:36
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: c:\windows\temp\sqlite_gbllncgmxupsnad
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_j6xcefcqoaveqy1
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_k9oamblcptlznjp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_p6hccczxspvt0cj
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_savr9y6l5pfke4q
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_su1z2upsatndcgl
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_u5fayjvs0zxvahv
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ucilsi4hdwkshjc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_xnpwwdfbfp41uwu
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\kim\local settings\application data\microsoft\internet explorer\recovery\active\{9d791974-ee9b-11de-8c26-000e9b6d1cf6}.dat
Status: Size mismatch (API: 219136, Raw: 215040)

Path: Volume H:\
Status: MBR Rootkit Detected!

Path: Volume H:\, Sector 1
Status: Sector mismatch

Path: Volume H:\, Sector 2
Status: Sector mismatch

Path: Volume H:\, Sector 3
Status: Sector mismatch

Path: Volume H:\, Sector 4
Status: Sector mismatch

Path: Volume H:\, Sector 5
Status: Sector mismatch

Path: Volume H:\, Sector 6
Status: Sector mismatch

Path: Volume H:\, Sector 7
Status: Sector mismatch

Path: Volume H:\, Sector 8
Status: Sector mismatch

Path: Volume H:\, Sector 9
Status: Sector mismatch

Path: Volume H:\, Sector 10
Status: Sector mismatch

Path: Volume H:\, Sector 11
Status: Sector mismatch

Path: Volume H:\, Sector 12
Status: Sector mismatch

Path: Volume H:\, Sector 13
Status: Sector mismatch

Path: Volume H:\, Sector 14
Status: Sector mismatch

Path: Volume H:\, Sector 15
Status: Sector mismatch

Path: Volume H:\, Sector 16
Status: Sector mismatch

Path: Volume H:\, Sector 17
Status: Sector mismatch

Path: Volume H:\, Sector 18
Status: Sector mismatch

Path: Volume H:\, Sector 19
Status: Sector mismatch

Path: Volume H:\, Sector 20
Status: Sector mismatch

Path: Volume H:\, Sector 21
Status: Sector mismatch

Path: Volume H:\, Sector 22
Status: Sector mismatch

Path: Volume H:\, Sector 23
Status: Sector mismatch

Path: Volume H:\, Sector 24
Status: Sector mismatch

Path: Volume H:\, Sector 25
Status: Sector mismatch

Path: Volume H:\, Sector 26
Status: Sector mismatch

Path: Volume H:\, Sector 27
Status: Sector mismatch

Path: Volume H:\, Sector 28
Status: Sector mismatch

Path: Volume H:\, Sector 29
Status: Sector mismatch

Path: Volume H:\, Sector 30
Status: Sector mismatch

Path: Volume H:\, Sector 31
Status: Sector mismatch

Path: Volume H:\, Sector 32
Status: Sector mismatch

Path: Volume H:\, Sector 33
Status: Sector mismatch

Path: Volume H:\, Sector 34
Status: Sector mismatch

Path: Volume H:\, Sector 35
Status: Sector mismatch

Path: Volume H:\, Sector 36
Status: Sector mismatch

Path: Volume H:\, Sector 37
Status: Sector mismatch

Path: Volume H:\, Sector 38
Status: Sector mismatch

Path: Volume H:\, Sector 39
Status: Sector mismatch

Path: Volume H:\, Sector 40
Status: Sector mismatch

Path: Volume H:\, Sector 41
Status: Sector mismatch

Path: Volume H:\, Sector 42
Status: Sector mismatch

Path: Volume H:\, Sector 43
Status: Sector mismatch

Path: Volume H:\, Sector 44
Status: Sector mismatch

Path: Volume H:\, Sector 45
Status: Sector mismatch

Path: Volume H:\, Sector 46
Status: Sector mismatch

Path: Volume H:\, Sector 47
Status: Sector mismatch

Path: Volume H:\, Sector 48
Status: Sector mismatch

Path: Volume H:\, Sector 49
Status: Sector mismatch

Path: Volume H:\, Sector 50
Status: Sector mismatch

Path: Volume H:\, Sector 51
Status: Sector mismatch

Path: Volume H:\, Sector 52
Status: Sector mismatch

Path: Volume H:\, Sector 53
Status: Sector mismatch

Path: Volume H:\, Sector 54
Status: Sector mismatch

Path: Volume H:\, Sector 55
Status: Sector mismatch

Path: Volume H:\, Sector 56
Status: Sector mismatch

Path: Volume H:\, Sector 57
Status: Sector mismatch

Path: Volume H:\, Sector 58
Status: Sector mismatch

Path: Volume H:\, Sector 59
Status: Sector mismatch

Path: Volume H:\, Sector 60
Status: Sector mismatch

Path: Volume H:\, Sector 61
Status: Sector mismatch

Path: Volume H:\, Sector 62
Status: Sector mismatch

Path: H:\autorun
Status: Visible to the Windows API, but not on disk.

Path: H:\autorun.inf
Status: Visible to the Windows API, but not on disk.

Path: H:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: H:\My Pictures
Status: Visible to the Windows API, but not on disk.

Path: H:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: H:\Kim
Status: Visible to the Windows API, but not on disk.

Path: H:\DVD Shrink 2.3.exe
Status: Visible to the Windows API, but not on disk.

Path: H:\Tmp
Status: Visible to the Windows API, but not on disk.

Path: H:\Download
Status: Visible to the Windows API, but not on disk.

Path: H:\My Music
Status: Visible to the Windows API, but not on disk.

Path: H:\Kim's Stuff
Status: Visible to the Windows API, but not on disk.

Path: H:\My Videos
Status: Visible to the Windows API, but not on disk.


Report •

#3
December 21, 2009 at 19:25:57
Please download MBR.exe and save it to C:\

Then Navigate to C:\ and double click the MBR.exe executable file> click run.

It will produce a brief log, mbr.txt in the same directory as the program. Please copy/paste that log here.


Report •

Related Solutions

#4
December 21, 2009 at 19:38:08
Contents of "mbr.log"
--------------------------------------------------------------------------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


Report •

#5
December 21, 2009 at 19:53:56
Must be a false positive on the MBR (master boot record) infection.

1. Download TDSSKiller and save it to your Desktop.
2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


4. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
5. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#6
December 21, 2009 at 20:48:32
Dear jabuck,

"TDSSKiller" indicated that there are a few infected objects that will be either cured or deleted on reboot. (Sorry that I did not note them down.) I selected to enter Y to reboot.

After rebooting and without seeing any log file, I ran "TDSSKiller" again to produce the log. (Very sorry if I messed up what you intended to do.)

Contents of "TDSSKiller.txt" log:

http://rapidshare.com/files/3242188...


Report •

#7
December 21, 2009 at 21:01:06
Are you still being redirected.

Remember..your McAfee antivirus must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#8
December 21, 2009 at 21:17:16
Oh, good! Look like I am not redirected to advertisement sites anymore.

Should I still do the "ComboFix" per your instruction above?


Report •

#9
December 21, 2009 at 21:29:58
Yes, let look for scragglers.

Report •

#10
December 21, 2009 at 22:07:16
Contents of "ComboFix.txt" log:

http://rapidshare.com/files/3242421...


Report •

#11
December 21, 2009 at 23:01:45
I am having a similar problem. I followed the steps above and my computer still goes to other websites instead of the link I click on.

Report •

#12
December 22, 2009 at 11:12:49
kerab please start a thread of your own and someone will try to help up.

Report •

#13
December 22, 2009 at 18:34:20
Dear jabuck,

Just to recap and continue: Even though I am not redirected to advertisement sites anymore, you advised me to do the "ComboFix" to look for any scragglers.

Contents of "ComboFix.txt" log:

http://rapidshare.com/files/3242421...


Report •

#14
December 22, 2009 at 19:00:03
Is there some reason why you are not posting the results of the scans to the forum instead of rapidshare...the results need to be posted here. If you cannot get all the info into one post break it up into segments and make several post to get all the info to us.

Report •

#15
December 22, 2009 at 19:19:10
Oops, I did not mean to inconvenience you. Very sorry about that.

--------------------------------------------------------------------------------
ComboFix 09-12-21.02 - Kim 12/21/09 21:45:18.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.619 [GMT -8:00]
Running from: c:\documents and settings\Kim\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kim\My Documents\Registry040505.reg
c:\windows\irc.txt
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\Install.txt
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WINSTS


((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-22 00:26 . 2009-12-22 00:26 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2009-12-22 00:19 . 2009-12-22 00:19 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-22 00:16 . 2009-12-22 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-21 22:26 . 2009-12-21 22:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-21 22:23 . 2009-12-21 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-12-21 22:23 . 2009-12-21 22:23 -------- d-----w- c:\program files\SiteAdvisor
2009-12-21 22:19 . 2009-11-05 00:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-21 22:19 . 2009-11-05 00:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-21 22:19 . 2009-11-05 00:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-21 22:19 . 2009-07-16 20:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-21 22:17 . 2009-12-21 22:19 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-21 22:17 . 2009-12-21 22:18 -------- d-----w- c:\program files\McAfee.com
2009-12-21 22:17 . 2009-12-22 01:42 -------- d-----w- c:\program files\McAfee
2009-12-21 22:16 . 2009-11-05 00:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-21 21:21 . 2009-12-21 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-12-21 18:17 . 2009-12-21 18:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-21 18:17 . 2009-12-21 18:17 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-12-21 06:40 . 2009-12-22 02:12 -------- d-----w- c:\program files\trend micro
2009-12-21 03:46 . 2009-12-22 01:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-21 03:46 . 2009-12-22 00:58 -------- d-----w- c:\program files\SpywareBlaster
2009-12-21 02:52 . 2009-12-21 02:52 -------- d-----w- c:\documents and settings\Kim\Application Data\Malwarebytes
2009-12-21 02:51 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-21 02:51 . 2009-12-21 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-21 02:51 . 2009-12-21 02:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 02:51 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 02:23 . 2009-12-21 02:25 -------- d-----w- c:\windows\system32\Temp
2009-12-19 22:27 . 2009-12-19 22:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-19 06:17 . 2009-12-19 06:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-16 03:20 . 2009-12-22 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-14 00:46 . 2009-12-14 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-27 23:47 . 2009-11-27 23:47 -------- d-----w- c:\documents and settings\Kim\Application Data\FastStone
2009-11-27 23:47 . 2009-11-27 23:47 -------- d-----w- c:\program files\FastStone Photo Resizer
2009-11-26 20:37 . 2009-11-26 20:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-26 20:04 . 2009-12-14 00:54 -------- d-----w- c:\documents and settings\Kim\Application Data\Any Video Converter
2009-11-26 20:04 . 2009-11-26 20:22 -------- d-----w- c:\program files\Any Video Converter
2009-11-26 18:27 . 2009-11-26 18:27 -------- d-----w- c:\documents and settings\Kim\Application Data\Canon
2009-11-26 18:20 . 2008-05-19 17:47 102400 ----a-w- c:\windows\system32\CNCLSI34d.DLL
2009-11-26 18:20 . 2008-05-19 17:47 131072 ----a-w- c:\windows\system32\CNCLSD34d.DLL
2009-11-26 18:20 . 2008-05-19 17:47 94208 ----a-w- c:\windows\system32\CNCLSC34d.DLL
2009-11-26 18:20 . 2008-05-19 17:47 106496 ----a-w- c:\windows\system32\CNCLST34d.DLL
2009-11-26 18:20 . 2008-05-19 17:47 188416 ----a-w- c:\windows\system32\CNCLSU34d.DLL
2009-11-26 18:20 . 2008-05-19 17:47 53248 ----a-w- c:\windows\system32\CNCLSO34d.dll
2009-11-26 18:20 . 2008-05-19 17:46 86016 ----a-w- c:\windows\system32\CNCI460.DLL
2009-11-26 18:20 . 2008-05-19 17:46 114688 ----a-w- c:\windows\system32\CNCL460.DLL
2009-11-26 18:20 . 2008-05-19 17:47 278528 ----a-w- c:\windows\system32\CNCC460.DLL
2009-11-26 18:17 . 2009-11-26 18:17 -------- d-----w- c:\program files\Canon
2009-11-26 18:17 . 2007-04-19 01:14 69632 ----a-w- c:\windows\system32\CNAS0MMK.DLL
2009-11-26 18:17 . 2009-11-26 18:17 -------- d--h--w- c:\windows\system32\CanonMF Uninstaller Information
2009-11-26 18:17 . 2009-11-26 18:17 -------- d-----w- C:\CanonMF
2009-11-26 18:16 . 2004-08-04 07:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-26 18:16 . 2004-08-04 07:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-26 08:04 . 2009-11-26 20:45 -------- d-----w- c:\documents and settings\Kim\ZipForm
2009-11-26 08:01 . 2009-11-26 08:01 -------- d--h--w- c:\program files\Zero G Registry
2009-11-26 08:01 . 2009-11-26 08:01 -------- d-----w- c:\program files\ZipLogix
2009-11-26 08:01 . 2009-11-26 08:01 -------- d--h--w- c:\documents and settings\Kim\InstallAnywhere
2009-11-26 07:46 . 2009-11-26 07:46 -------- d-----w- c:\program files\UniKey
2009-11-26 05:29 . 2009-12-21 23:29 -------- d-----w- c:\documents and settings\Kim\Local Settings\Application Data\CutePDF Writer
2009-11-26 02:27 . 2009-11-26 02:27 -------- d-----w- c:\program files\GPLGS
2009-11-26 02:27 . 2009-11-26 02:31 -------- d-----w- c:\documents and settings\Kim\Local Settings\Application Data\AskToolbar
2009-11-26 02:26 . 2009-11-26 02:26 -------- d-----w- c:\program files\Ask.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 04:08 . 2002-08-29 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-22 04:04 . 2009-12-22 04:04 95360 ----a-w- c:\windows\system32\drivers\atapi.tsk
2009-12-22 00:25 . 2004-12-13 01:32 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-22 00:17 . 2009-12-22 00:17 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-21 22:54 . 2005-04-03 07:43 -------- d-----w- c:\program files\FastStone Image Viewer
2009-12-21 22:04 . 2005-12-31 19:09 -------- d-----w- c:\program files\Google
2009-12-21 21:55 . 2004-12-12 22:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-21 04:44 . 2009-12-21 04:44 195584 ----a-w- c:\documents and settings\Kim\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-73286a89-n\WMINative.dll
2009-12-01 22:51 . 2005-03-25 18:46 -------- d-----w- c:\documents and settings\Kim\Application Data\Apple Computer
2009-11-26 20:37 . 2005-03-20 05:58 -------- d-----w- c:\program files\Java
2009-11-26 20:37 . 2009-11-26 20:37 152576 ----a-w- c:\documents and settings\Kim\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-26 20:36 . 2009-11-26 20:36 79488 ----a-w- c:\documents and settings\Kim\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-26 02:26 . 2005-03-20 05:20 -------- d-----w- c:\program files\Acro Software
2009-11-20 11:08 . 2009-12-22 00:20 38784 ----a-w- c:\documents and settings\Kim\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-20 11:08 . 2009-12-22 00:19 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-19 05:23 . 2009-11-19 05:23 -------- d-----w- c:\documents and settings\Kim\Application Data\MSN6
2009-11-19 05:23 . 2009-11-19 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-11-05 16:39 . 2005-03-20 05:20 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-11-05 00:54 . 2009-11-05 00:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:45 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2004-12-13 09:13 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00 . 2004-12-13 09:13 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 14:58 . 2004-12-13 09:13 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2002-08-29 12:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2002-08-29 12:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2002-08-29 12:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-30 18:36 . 2009-05-03 22:48 152576 ----a-w- c:\documents and settings\Kim\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2003-08-27 22:19 . 2004-12-14 01:43 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2001-11-30 19:09 . 2005-04-02 00:08 49152 ----a-r- c:\program files\Common Files\HDvAvi.dll
2002-04-03 22:01 . 2005-04-08 03:44 286720 ------w- c:\program files\internet explorer\plugins\PanoViewer.dll
1999-04-30 23:00 . 2005-04-08 03:44 98304 ------w- c:\program files\internet explorer\plugins\UPjpeg.dll
.

------- Sigcheck -------

[-] 2009-12-22 04:08 . A17DA141675569513FE241301C1AB77D . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\WinXP_SP2_bak\$ntservicepackuninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-17 01:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 1179648]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-31 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2003-01-31 311296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-20 180269]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-26 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-08 155648]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"RemoteControl"="c:\windows\System32\rmctrl.exe" [2004-05-19 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2004-06-29 122880]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 339968]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-12 113664]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=3 (0x3)
"SNDSrvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_04\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/21/09 02:22 PM 203280]
R2 MLPTDR_B;MLPTDR_B;c:\windows\system32\MLPTDR_B.SYS [09/02/03 01:06 PM 20064]
S2 gupdate1ca0306254d2f60;Google Update Service (gupdate1ca0306254d2f60);c:\program files\Google\Update\GoogleUpdate.exe [07/12/09 07:33 AM 133104]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S4 Pdcom544wcpi;Pdcom544wcpi; [x]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
AddRemove-FastStone Image Viewer - c:\program files\FastStone Image Viewer\uninst.exe
AddRemove-HijackThis - c:\documents and settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\AQO8L32B\HijackThis.exe
AddRemove-WinZip - c:\save\Software\WinZip\WINZIP32.EXE


Report •

#16
December 22, 2009 at 19:19:49
**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 21:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\Drivers\atapi.tsk"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2020)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Sony\HotKey Utility\HKWnd.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\HPHipm09.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-12-21 21:59:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-22 05:59

Pre-Run: 30,959,407,104 bytes free
Post-Run: 31,348,228,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 2BD752D374E484FD91006B1140C2003E


Report •

#17
December 22, 2009 at 19:55:11
You should uninstall Ask Toolbar, it is spyware. Uninstalling it should remove all the files and registry entries.

A little clean-up to do.

Delete RSIT, exehelper, Rkill, RootRepeal, and TDSSKiller from your desktop.

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#18
December 22, 2009 at 21:14:15
Dear jabuck,

I did everything per your instruction above. Thank you so much for all your help. You are truly a God Send!

Best Regards,
kvandry


Report •

#19
December 22, 2009 at 21:20:20
Merry Christmas, and Thank You for your kind words...jabuck

Report •


Ask Question