Jumping... when clicking on Google links

ajtallin · 28-Oct-2009, 05:58 PM #1

Hi all,

I've seen a few posts here about this subject and I'm excited to get help to eliminate this issue. To be clear, what's happening is that after doing a Google Search I get the results and when I click on any of the result links, message on the tab just says "Jumping..." and then takes me to a completely different/random site. I've done a scan with HiJackThis and the following is what came up. Thank you in advance for any help you can provide with this! Take care.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:08 PM, on 10/28/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\SYSDLL.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [SYSDLL] SYSDLL
O4 - HKCU\..\Run: [inixs] C:\Windows\system32\minix32.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS7\Services\Tcpip\..\{9F85783C-2CEF-46FE-8CD3-9F8592797764}: NameServer = 207.164.234.193 207.164.234.129
O17 - HKLM\System\CS8\Services\Tcpip\..\{9F85783C-2CEF-46FE-8CD3-9F8592797764}: NameServer = 207.164.234.193 207.164.234.129
O17 - HKLM\System\CS9\Services\Tcpip\..\{9F85783C-2CEF-46FE-8CD3-9F8592797764}: NameServer = 207.164.234.193 207.164.234.129
O17 - HKLM\System\CS16\Services\Tcpip\..\{9F85783C-2CEF-46FE-8CD3-9F8592797764}: NameServer = 207.164.234.193 207.164.234.129
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8761 bytes

AJ

ajtallin · 30-Oct-2009, 04:29 PM #2

Bump -

NeonFx · 31-Oct-2009, 03:49 AM #3

Hello there

Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Mediafire and post the sharing link.

Step 2

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

Double click to start the program
Click on the Report tab at the bottom of the program window
Click the button
In the Select Scan dialog, check:
- Shadow SSDT
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

ajtallin · 14-Nov-2009, 08:18 PM #4

Good Evening NeonFx,

I'm so sorry for the delayed response to your post. I have been on the road quite a bit with work and have not been able to get to this computer till now. I really hope that you are still able to help me with this. If not, I understand that I was too late in responding. In any case, I have attached the OTS scan to this reply. Thanks in advance.

AJ

NeonFx · 14-Nov-2009, 10:19 PM #5

Good job. You don't have to wait for me say it's ok to move on to the next step if you successfully completed the preceding one. Please post the results of Step 2 when you can.

ajtallin · 19-Nov-2009, 03:28 PM #6

Thanks for your continued help with this NeonFx!

I've tried doing step #2 now several times but have been unsuccessful. I've tried downloading the program from all 3 links you provided and everytime I run the program from my desktop, initially I get the following error:

FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000e0)
DeviceIoControl Error! Error Code = 0x1e7
FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000e0)

Those are the details of the error. The program does open up though and when I go to the Reports tab, I follow your instructions checking off the correct boxes, etc. and when I press Scan, several errors flash and ultimately the program shuts down. A report does get posted/saved onto my desktop. I've attached it here, but I don't think it's very helpful. Please let me know if there is something that I'm doing wrong or that I need to do different. Thanks.

AJ

NeonFx · 19-Nov-2009, 04:12 PM #7

We'll need a bigger more automatic tool if we're going to keep taking 4 days between responses. We can skip the RootRepeal step. Let's do the following:

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

ajtallin · 19-Nov-2009, 05:59 PM #8

Hi NeonFx, thanks so much for your patience with prolonged times between responses. I have completed the ComboFix and attached the ComboFix.txt to this reply. I don't know if it matters, but when I started the ComboFix program it prompted me to update it to a "newer" version so I did. Hope that wasn't wrong.

Finally, I do have one big problem though. Now that it's done running, I've restarted the computer a few times and my internet is not working. You did say that there were settings that may be changed so could that be the reason why? I know the internet is working because I am sending this to you with my laptop on the same network. Please let me know how to get the internet up and running also if you could. Thanks in advance. Take care.

AJ

ajtallin · 19-Nov-2009, 06:06 PM #9

Hi NeonFx,

Sorry, scratch the problem with the internet mentioned above. It's working now. I guess I had to manually reconnect to the network. It didn't just do it automatically when I restarted the computer. Thanks. I do however look forward to hearing back from you about what you find in the file. Take care.

AJ

NeonFx · 19-Nov-2009, 06:14 PM **#10**

Don't worry about delays, I don't mind.

It's odd that I still can't see the cause of your problems. Let's do the following to fish it out:

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Please copy the following into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\si3112.sys /s /md5
%SYSTEMDRIVE%\viadsk.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select All items.
Place a checkmark next to Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

ajtallin · 19-Nov-2009, 07:01 PM **#11**

Ok, I've attached the OTS log to this reply.

The following is the Sysprot log:

SysProt AntiRootkit v1.0.1.0
by swatkat
*************************************************************************** ***************
*************************************************************************** ***************
No Hidden Processes found
*************************************************************************** ***************
*************************************************************************** ***************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_diskdump.sys
Service Name: ---
Module Base: 8E792000
Module End: 8E79C000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_nvstor.sys
Service Name: ---
Module Base: 8F413000
Module End: 8F420000
Hidden: Yes
*************************************************************************** ***************
*************************************************************************** ***************
No SSDT Hooks found
*************************************************************************** ***************
*************************************************************************** ***************
No Kernel Hooks found
*************************************************************************** ***************
*************************************************************************** ***************
No IRP Hooks found
*************************************************************************** ***************
*************************************************************************** ***************
Ports:
Local Address: FEVERKYLE.NO-DOMAIN-SET.BELLCANADA:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: FEVERKYLE:49592
Remote Address: SPYNETTEST.MICROSOFT.COM:HTTPS
Type: TCP
Process: C:\Program Files\Windows Defender\MSASCui.exe
State: ESTABLISHED
Local Address: FEVERKYLE:49253
Remote Address: NETADVISOR.NETWORKMAGIC.COM:HTTP
Type: TCP
Process: C:\Program Files\Pure Networks\Network Magic\nmapp.exe
State: ESTABLISHED
Local Address: FEVERKYLE:49164
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING
Local Address: FEVERKYLE:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\spoolsv.exe
State: LISTENING
Local Address: FEVERKYLE:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING
Local Address: FEVERKYLE:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: FEVERKYLE:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: FEVERKYLE:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: FEVERKYLE:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING
Local Address: FEVERKYLE:1196
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
State: LISTENING
Local Address: FEVERKYLE:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: FEVERKYLE.NO-DOMAIN-SET.BELLCANADA:49833
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE.NO-DOMAIN-SET.BELLCANADA:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE.NO-DOMAIN-SET.BELLCANADA:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: FEVERKYLE.NO-DOMAIN-SET.BELLCANADA:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: FEVERKYLE:63082
Remote Address: NA
Type: UDP
Process: C:\Program Files\Pure Networks\Network Magic\nmapp.exe
State: NA
Local Address: FEVERKYLE:51748
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:49834
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:49832
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:62379
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:LLMNR
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:1196
Remote Address: NA
Type: UDP
Process: C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
State: NA
Local Address: FEVERKYLE:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: FEVERKYLE:68
Remote Address: NA
Type: UDP
Process: C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
State: NA
Local Address: FEVERKYLE:67
Remote Address: NA
Type: UDP
Process: C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
State: NA
*************************************************************************** ***************
*************************************************************************** ***************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\SPP
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\{02d414b9-d2ba-11de-84ad-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{02d41fc2-d2ba-11de-84ad-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{02d434df-d2ba-11de-84ad-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{0a1db658-ce55-11de-8018-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{0a1db796-ce55-11de-8018-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{6867f652-d179-11de-97b4-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{6a352dc9-c958-11de-9d23-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{8ab3e107-c58f-11de-9d23-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{8ab3e4e3-c58f-11de-9d23-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{8ab3e5a8-c58f-11de-9d23-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{8ab3f516-c58f-11de-9d23-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{a3bb8c53-ce9a-11de-b829-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{a4b44e37-c9e3-11de-9924-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{d00ec7c0-ca21-11de-9f70-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{d00ecf93-ca21-11de-9f70-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{e2047a31-cfae-11de-867b-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{e2047fd5-cfae-11de-867b-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{fd903065-d461-11de-84ad-001bb976e184}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied

Looking forward to your dianosis.

AJ

NeonFx · 19-Nov-2009, 10:44 PM **#12**

Hmm.. let's see if we can narrow it down. You have a whole lot of harddrive drivers and I think the offending file is one of them. Please do the following:

Open OTS.exe and under the Custom Scans section copy and paste the following:

C:\ql2300.sys /s /md5
C:\iastorv.sys /s /md5
C:\ulsata2.sys /s /md5
C:\vsmraid.sys /s /md5
C:\ql40xx.sys /s /md5
C:\ulsata.sys /s /md5
C:\nvraid.sys /s /md5
C:\sisraid4.sys /s /md5
C:\nvstor.sys /s /md5
C:\lsi_scsi.sys /s /md5
C:\sisraid2.sys /s /md5
C:\mraid35x.sys /s /md5
C:\viaide.sys /s /md5
C:\cmdide.sys /s /md5
C:\aliide.sys /s /md5

Then click on the Quick Scan button. Attach these results to your next reply for me.

Tag Cloud
access acer asus bios bsod computer crash driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop mac malware memory monitor motherboard music network printer problem ram registry router server slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!