Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Tazinga Virus


(!)

nt91's Avatar
nt91 nt91 is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Dec 2010
Experience: Intermediate
07-Dec-2010, 01:32 PM #1
Tazinga Virus
This virus has been redirecting me from google searches and whatnot as well as being a general nuisance and slowing me down. As the name suggests, it often redirects me to tazinga.com.

Here's all the logs:
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:06:43 AM, on 12/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
d:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\CameraAssistant.exe
D:\WINDOWS\system32\ElkCtrl.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Pandora\Pandora.exe
D:\Program Files\Trillian 4.2\trillian.exe
D:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\taskmgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Java\jre6\bin\jucheck.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
D:\Documents and Settings\Vince\Desktop\z07gczu5.exe
D:\Documents and Settings\Vince\Desktop\dds.scr
D:\WINDOWS\system32\cmd.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Documents and Settings\Vince\Desktop\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - D:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - D:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] D:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] D:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] D:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ieogrge_v14] D:\Program Files\ieogrge_v14\ieogrge_v14.exe
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: fgsfds.lnk = D:\Program Files\Malwarebytes' Anti-Malware\fgsfds.exe
O4 - Startup: Pandora.lnk = D:\Program Files\Pandora\Pandora.exe
O4 - Startup: Trillian.lnk = D:\Program Files\Trillian 4.2\trillian.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to Mp3 Converter - D:\Documents and Settings\Vince\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: acphelp.dll acpclient.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Browser Defender Update Service - Unknown owner - D:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - d:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7025 bytes

DDS.txt:

DDS (Ver_10-12-05.01) - NTFSx86
Run by Vince at 5:06:27.78 on Tue 12/07/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1080 [GMT -5:00]


============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\system32\svchost -k rpcss
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\system32\spoolsv.exe
d:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\CameraAssistant.exe
D:\WINDOWS\system32\ElkCtrl.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Pandora\Pandora.exe
D:\Program Files\Trillian 4.2\trillian.exe
D:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\taskmgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Java\jre6\bin\jucheck.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
D:\Documents and Settings\Vince\Desktop\z07gczu5.exe
D:\Documents and Settings\Vince\Desktop\dds.scr
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "d:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] d:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] d:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LVCOMSX] d:\windows\system32\LVCOMSX.EXE
mRun: [LogitechCameraAssistant] d:\program files\logitech\video\CameraAssistant.exe
mRun: [LogitechVideo[inspector]] d:\program files\logitech\video\InstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] d:\windows\system32\ElkCtrl.exe /automation
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [ieogrge_v14] d:\program files\ieogrge_v14\ieogrge_v14.exe
mRun: [ISTray] "d:\program files\spyware doctor\pctsTray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: d:\docume~1\vince\startm~1\programs\startup\fgsfds.lnk - d:\program files\malwarebytes' anti-malware\fgsfds.exe
StartupFolder: d:\docume~1\vince\startm~1\programs\startup\pandora.lnk - d:\program files\pandora\Pandora.exe
StartupFolder: d:\docume~1\vince\startm~1\programs\startup\trillian.lnk - d:\program files\trillian 4.2\trillian.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - d:\documents and settings\vince\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\progra~1\micros~2\office12\GR99D3~1.DLL
AppInit_DLLs: acphelp.dll acpclient.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\vince\applic~1\mozilla\firefox\profiles\9ambmtto.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Exif Viewer: exif_viewer@mozilla.doslash.org - d:\docume~1\vince\applic~1\mozilla\firefox\profiles\9ambmtto.default\extens ions\exif_viewer@mozilla.doslash.org
FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - d:\docume~1\vince\applic~1\mozilla\firefox\profiles\9ambmtto.default\extens ions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Extension: Personas: personas@christopher.beard - d:\docume~1\vince\applic~1\mozilla\firefox\profiles\9ambmtto.default\extens ions\personas@christopher.beard
FF - Extension: Java Quick Starter: jqs@sun.com - d:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2010-12-6 217032]
R2 Browser Defender Update Service;Browser Defender Update Service;d:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-12-6 112592]
R2 npf;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2009-3-15 34064]
R2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2010-12-6 366840]
R2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2010-12-6 1142224]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;d:\windows\system32\drivers\RTS5121.sys [2009-6-5 157696]
S3 Rts516xIR;Realtek IR Driver;d:\windows\system32\drivers\rts516xir.sys --> d:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2019-10-09 04:37:41 302184 ----a-w- d:\windows\amuninst.exe
2010-12-07 02:11:36 -------- d-s---w- d:\documents and settings\vince\UserData
2010-12-07 00:05:14 -------- d-----w- d:\docume~1\vince\locals~1\applic~1\Threat Expert
2010-12-07 00:04:27 767952 ----a-w- d:\windows\BDTSupport.dll
2010-12-07 00:04:26 1652688 ----a-w- d:\windows\PCTBDCore.dll
2010-12-07 00:04:26 149456 ----a-w- d:\windows\SGDetectionTool.dll
2010-12-07 00:04:25 165840 ----a-w- d:\windows\PCTBDRes.dll
2010-12-06 23:59:23 233136 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2010-12-06 23:58:55 88040 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
2010-12-06 23:58:55 217032 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2010-12-06 23:58:40 70408 ----a-w- d:\windows\system32\drivers\pctplsg.sys
2010-12-06 23:58:20 -------- d-----w- d:\program files\common files\PC Tools
2010-12-06 23:58:20 -------- d-----w- d:\docume~1\alluse~1\applic~1\PC Tools
2010-12-06 23:58:19 -------- d-----w- d:\program files\Spyware Doctor
2010-12-06 23:58:19 -------- d-----w- d:\docume~1\vince\applic~1\PC Tools
2010-12-06 21:12:33 53248 ----a-w- d:\windows\system32\drivers\sst5EB.sys
2010-12-06 21:12:33 0 ----a-w- d:\windows\system32\drivers\sst5EB.tmp
2010-12-06 02:07:45 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx473.tmp
2010-12-06 02:06:34 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx472.tmp
2010-12-06 01:44:43 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx471.tmp
2010-12-05 06:57:41 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3DE.tmp
2010-12-05 06:20:23 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3DB.tmp
2010-12-05 06:17:05 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3DA.tmp
2010-12-05 06:15:44 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3D9.tmp
2010-12-05 06:07:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3D5.tmp
2010-12-05 06:03:27 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3D4.tmp
2010-12-05 05:44:29 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3D3.tmp
2010-12-03 03:38:41 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx286.tmp
2010-12-03 02:40:17 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx285.tmp
2010-12-03 02:19:32 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx284.tmp
2010-12-03 01:21:21 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx27A.tmp
2010-12-03 01:13:03 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx279.tmp
2010-12-03 00:57:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx278.tmp
2010-12-02 23:59:32 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx25F.tmp
2010-12-02 08:18:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1FD.tmp
2010-12-02 08:07:42 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1FC.tmp
2010-12-02 08:04:50 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1FB.tmp
2010-12-02 07:09:03 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F8.tmp
2010-12-02 06:54:57 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F7.tmp
2010-12-02 06:29:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F6.tmp
2010-12-02 06:10:54 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F5.tmp
2010-12-02 05:52:31 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1EC.tmp
2010-12-02 05:51:00 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1EB.tmp
2010-12-02 05:50:02 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1EA.tmp
2010-12-02 05:46:44 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E9.tmp
2010-12-02 05:30:42 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E7.tmp
2010-12-02 05:18:10 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E6.tmp
2010-12-02 04:23:27 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E5.tmp
2010-12-02 04:14:43 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E4.tmp
2010-12-02 03:50:22 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E3.tmp
2010-12-02 03:44:57 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E2.tmp
2010-12-01 23:00:27 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx195.tmp
2010-12-01 22:39:34 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx194.tmp
2010-12-01 22:31:34 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx193.tmp
2010-12-01 22:15:15 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx173.tmp
2010-12-01 22:09:37 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx172.tmp
2010-12-01 22:07:24 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx171.tmp
2010-12-01 22:04:22 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx170.tmp
2010-12-01 22:02:08 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx16F.tmp
2010-12-01 03:13:08 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx8D.tmp
2010-12-01 03:03:02 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx8C.tmp
2010-12-01 02:49:12 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx8B.tmp
2010-11-29 03:44:44 -------- d-----w- d:\docume~1\vince\applic~1\Malwarebytes
2010-11-29 03:44:06 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 03:44:05 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-11-29 03:44:05 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-11-29 03:44:05 -------- d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-29 03:29:37 -------- d-----w- d:\docume~1\vince\applic~1\FrostWire
2010-11-25 18:04:26 -------- d-----w- d:\windows\system32\soii21_v262
2010-11-24 23:17:32 -------- d-----w- d:\docume~1\vince\applic~1\com.pandora.desktop.FB9956FD96E03239939108614098 AD95535EE674.1
2010-11-24 23:17:31 -------- d-----w- d:\program files\Pandora
2010-11-20 00:08:59 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx52E.tmp

==================== Find3M ====================

2010-12-07 00:32:49 8404 --sha-w- d:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-11-26 07:16:53 23 ----a-w- d:\windows\dp_navi21_v120_dboot.dll
2010-10-29 22:01:03 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F2.tmp
2010-10-22 17:36:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx2AB9.tmp
2010-10-22 16:18:08 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx2AB5.tmp
2010-10-18 04:03:11 65536 ----a-w- d:\windows\IFinst27.exe
2010-10-13 19:11:01 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx195D.tmp
2010-10-13 19:02:34 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx195C.tmp

============= FINISH: 5:13:22.15 ===============


ark.txt:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-07 13:09:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD3200JS-60PDB0 rev.21.00M21
Running: z07gczu5.exe; Driver: D:\DOCUME~1\Vince\LOCALS~1\Temp\kxtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA5D2E64]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA5B2EEE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA5B30E0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA5D3652]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA5D3906]
SSDT speu.sys ZwEnumerateKey [0xBA6CDDA4]
SSDT speu.sys ZwEnumerateValueKey [0xBA6CE132]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA5D1B64]
SSDT speu.sys ZwQueryKey [0xBA6CE20A]
SSDT speu.sys ZwQueryValueKey [0xBA6CE08A]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA5D3D72]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA5D3124]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA5B2B5C]

INT 0x63 ? 8A534BF8
INT 0x63 ? 8A534BF8
INT 0x63 ? 8A1BFBF8
INT 0x63 ? 8A534BF8
INT 0x73 ? 8A534BF8
INT 0x73 ? 8A534BF8
INT 0x73 ? 8A534BF8
INT 0xA4 ? 8A1BFBF8

---- Kernel code sections - GMER 1.0.15 ----

? speu.sys The system cannot find the file specified. !
INITc VolSnap.sys BA8F3978 4 Bytes [50, A5, 53, 80]
INITc VolSnap.sys BA8F39A0 4 Bytes [A8, A1, 4F, 80]
INITc VolSnap.sys BA8F39C8 4 Bytes [A6, AE, 4F, 80]
INITc VolSnap.sys BA8F39F0 4 Bytes [20, FF, 4F, 80]
INITc VolSnap.sys BA8F3A18 4 Bytes [6A, A8, 4F, 80]
INITc ...
.text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9A36360, 0x20574D, 0xE8000020]
.text USBPORT.SYS!DllUnload B9A168AC 5 Bytes JMP 8A1BF1D8
? D:\DOCUME~1\Vince\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text D:\WINDOWS\system32\LVCOMSX.EXE[140] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01C60001
.text D:\Program Files\Logitech\Video\CameraAssistant.exe[208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01C60001
.text D:\WINDOWS\system32\ElkCtrl.exe[260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010D0001
.text D:\Program Files\Java\jre6\bin\jusched.exe[284] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CC0001
.text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B90001
.text ...
.text D:\Program Files\Mozilla Firefox\plugin-container.exe[1500] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10405CF5 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text D:\WINDOWS\system32\ctfmon.exe[1864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001
.text D:\WINDOWS\system32\RUNDLL32.EXE[2032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DB0001
.text D:\WINDOWS\RTHDCPL.EXE[2040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 022E0001
.text D:\Program Files\Mozilla Firefox\firefox.exe[2108] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 D:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text D:\Program Files\Mozilla Firefox\firefox.exe[2108] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 012F0001
.text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 012A000A
.text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 006B000A
.text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 006A000A
.text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!send 71AB4C27 5 Bytes JMP 006C000A
.text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 006D000A
.text D:\WINDOWS\System32\alg.exe[2220] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00800001
.text D:\WINDOWS\system32\taskmgr.exe[3060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001
.text D:\WINDOWS\system32\ctfmon.exe[3360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D40001
.text D:\WINDOWS\system32\notepad.exe[8068] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BE0001

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5331F8
Device \Driver\usbohci \Device\USBPDO-0 8A1431F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A4C51F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A4C51F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A4C51F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A4C51F8
Device \Driver\usbehci \Device\USBPDO-1 8A1BE1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E3D3E239-3C9F-4A2C-959D-120112AE3BD9} 89B25500
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5351F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5351F8
Device \Driver\Cdrom \Device\CdRom0 8A1D01F8
Device \Driver\atapi \Device\Ide\IdePort0 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 89B25500
Device \Driver\NetBT \Device\NetbiosSmb 89B25500
Device \Driver\usbohci \Device\USBFDO-0 8A1431F8
Device \Driver\usbehci \Device\USBFDO-1 8A1BE1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89ADE500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89ADE500
Device \Driver\Ftdisk \Device\FtControl 8A5351F8
Device \FileSystem\Cdfs \Cdfs 89CA1500

---- Threads - GMER 1.0.15 ----

Thread System [4:148] 8A44858D
Thread System [4:152] 8A449876

---- Processes - GMER 1.0.15 ----

Process D:\WINDOWS\system32\Rundll32.exe (*** hidden *** ) 2212

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@hdf12 0xEF 0x43 0xB9 0xDE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@p0 D:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@hdf12 0xEF 0x43 0xB9 0xDE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@hdf12 0x4C 0x82 0x6C 0xF7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0@hdf12 0x64 0x08 0x64 0x90 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 625142192 (+255): rootkit-like behavior;



GMER has gotten stuck there several times. I don't really know what to do from here :/ I've tried turning off system restore and using MBAM in safe mode and in normal mode. It doesn't even recognize that I have a virus :/ and yes, it's updated to the most recent version.

Edit: GMER is unstuck and is scanning now, will update with results when done.

Last edited by nt91; 07-Dec-2010 at 01:40 PM..
nt91's Avatar
nt91 nt91 is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Dec 2010
Experience: Intermediate
08-Dec-2010, 06:53 AM #2
On subsequent runs, this is all GMER gave me:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-08 06:52:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD3200JS-60PDB0 rev.21.00M21
Running: z07gczu5.exe; Driver: D:\DOCUME~1\Vince\LOCALS~1\Temp\kxtdypoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 625142192 (+255): rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT speu.sys ZwEnumerateKey [0xBA6CDDA4]
SSDT speu.sys ZwEnumerateValueKey [0xBA6CE132]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \FileSystem\Ntfs \Ntfs 8A5331F8

---- Threads - GMER 1.0.15 ----

Thread System [4:148] 8A44858D
Thread System [4:152] 8A449876

---- EOF - GMER 1.0.15 ----
nt91's Avatar
nt91 nt91 is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Dec 2010
Experience: Intermediate
08-Dec-2010, 07:53 PM #3
I don't think the original post has the attach.txt attached to it, for some reason, so here it is.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
CatByte's Avatar
Malware Removal Specialist with 3,893 posts.
 
Join Date: Feb 2009
08-Dec-2010, 08:10 PM #4
Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
nt91's Avatar
nt91 nt91 is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Dec 2010
Experience: Intermediate
08-Dec-2010, 08:29 PM #5
Hi, I got a bit antsy with waiting and so I followed the instructions given in this thread up to the Kaspersky step. The redirection problem seems to be gone, Malwarebytes detects nothing (although it did this before too), so I think it's mainly gone. I still have a problem where occasionally when I click on a website in a google search I get redirected to cheapwebhostingdeal.com briefly before being redirected back to google.com.

Edit: The internet explorer process also is still running in the background and just comes back when closed. So, should I just start from the beginning with going through combofix and everything?

Edit #2: The Kaspersky thing isn't working. Says I need to restart every time.

Last edited by nt91; 08-Dec-2010 at 08:42 PM..
CatByte's Avatar
Malware Removal Specialist with 3,893 posts.
 
Join Date: Feb 2009
08-Dec-2010, 10:03 PM #6
Please follow the instructions from my previous post
nt91's Avatar
nt91 nt91 is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Dec 2010
Experience: Intermediate
08-Dec-2010, 10:57 PM #7
Actually, I think I solved it. I have Spyware Doctor and Malwarebytes Pro running now. I also ran tdsskiller.
CatByte's Avatar
Malware Removal Specialist with 3,893 posts.
 
Join Date: Feb 2009
09-Dec-2010, 07:52 AM #8
OK

Thanks for letting me know

I am unsubscribing from this thread, so if you find any malware remaining, please start a new topic
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


Similar Threads
Title Thread Starter Forum Replies Last Post
urls redirected to Tazinga.com, Blinkx.com, etc. Ramjet Virus & Other Malware Removal 9 02-Jun-2010 01:25 AM
Help! I Have a Virus! bigpittinlbp Virus & Other Malware Removal 8 12-Mar-2010 10:50 AM
Anti-virus software won't scan, well-known anti-virus sites won't open. Seras Virus & Other Malware Removal 2 09-Nov-2009 02:57 PM
XP 2009 Virus krawl23 Virus & Other Malware Removal 0 24-Feb-2009 01:26 PM
Redirect Virus HELP! ahuang01 Virus & Other Malware Removal 1 29-Nov-2008 12:01 PM

WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2