1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Tazinga Virus

Discussion in 'Virus & Other Malware Removal' started by nt91, Dec 7, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. nt91

    nt91 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    5
    This virus has been redirecting me from google searches and whatnot as well as being a general nuisance and slowing me down. As the name suggests, it often redirects me to tazinga.com.

    Here's all the logs:
    HijackThis log:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:06:43 AM, on 12/7/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\csrss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    d:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\ctfmon.exe
    D:\WINDOWS\system32\RUNDLL32.EXE
    D:\WINDOWS\RTHDCPL.EXE
    D:\WINDOWS\system32\LVCOMSX.EXE
    D:\Program Files\Logitech\Video\CameraAssistant.exe
    D:\WINDOWS\system32\ElkCtrl.exe
    D:\Program Files\Java\jre6\bin\jusched.exe
    D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    D:\Program Files\Spyware Doctor\pctsTray.exe
    D:\Program Files\Pandora\Pandora.exe
    D:\Program Files\Trillian 4.2\trillian.exe
    D:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    D:\Program Files\Spyware Doctor\pctsAuxs.exe
    D:\Program Files\Spyware Doctor\pctsSvc.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\taskmgr.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\WINDOWS\System32\alg.exe
    D:\Program Files\Java\jre6\bin\jucheck.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\Program Files\Mozilla Firefox\plugin-container.exe
    D:\Documents and Settings\Vince\Desktop\z07gczu5.exe
    D:\Documents and Settings\Vince\Desktop\dds.scr
    D:\WINDOWS\system32\cmd.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\WINDOWS\system32\wbem\wmiprvse.exe
    D:\Documents and Settings\Vince\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - D:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - D:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechCameraAssistant] D:\Program Files\Logitech\Video\CameraAssistant.exe
    O4 - HKLM\..\Run: [LogitechVideo[inspector]] D:\Program Files\Logitech\Video\InstallHelper.exe /inspect
    O4 - HKLM\..\Run: [LogitechCameraService(E)] D:\WINDOWS\system32\ElkCtrl.exe /automation
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ieogrge_v14] D:\Program Files\ieogrge_v14\ieogrge_v14.exe
    O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: fgsfds.lnk = D:\Program Files\Malwarebytes' Anti-Malware\fgsfds.exe
    O4 - Startup: Pandora.lnk = D:\Program Files\Pandora\Pandora.exe
    O4 - Startup: Trillian.lnk = D:\Program Files\Trillian 4.2\trillian.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Free YouTube to Mp3 Converter - D:\Documents and Settings\Vince\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - AppInit_DLLs: acphelp.dll acpclient.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
    O23 - Service: Browser Defender Update Service - Unknown owner - D:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - d:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

    --
    End of file - 7025 bytes

    DDS.txt:

    DDS (Ver_10-12-05.01) - NTFSx86
    Run by Vince at 5:06:27.78 on Tue 12/07/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1080 [GMT -5:00]


    ============== Running Processes ===============

    D:\WINDOWS\system32\svchost -k DcomLaunch
    D:\WINDOWS\system32\svchost -k rpcss
    D:\WINDOWS\System32\svchost.exe -k netsvcs
    D:\WINDOWS\system32\svchost.exe -k NetworkService
    D:\WINDOWS\system32\svchost.exe -k LocalService
    D:\WINDOWS\system32\spoolsv.exe
    d:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\ctfmon.exe
    D:\WINDOWS\system32\RUNDLL32.EXE
    D:\WINDOWS\RTHDCPL.EXE
    D:\WINDOWS\system32\LVCOMSX.EXE
    D:\Program Files\Logitech\Video\CameraAssistant.exe
    D:\WINDOWS\system32\ElkCtrl.exe
    D:\Program Files\Java\jre6\bin\jusched.exe
    D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    D:\Program Files\Spyware Doctor\pctsTray.exe
    D:\Program Files\Pandora\Pandora.exe
    D:\Program Files\Trillian 4.2\trillian.exe
    D:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    D:\Program Files\Spyware Doctor\pctsAuxs.exe
    D:\Program Files\Spyware Doctor\pctsSvc.exe
    D:\WINDOWS\system32\svchost.exe -k imgsvc
    D:\WINDOWS\system32\taskmgr.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\WINDOWS\System32\alg.exe
    D:\Program Files\Java\jre6\bin\jucheck.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\Program Files\Mozilla Firefox\plugin-container.exe
    D:\Documents and Settings\Vince\Desktop\z07gczu5.exe
    D:\Documents and Settings\Vince\Desktop\dds.scr
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
    mRun: [IMJPMIG8.1] "d:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] d:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] d:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [LVCOMSX] d:\windows\system32\LVCOMSX.EXE
    mRun: [LogitechCameraAssistant] d:\program files\logitech\video\CameraAssistant.exe
    mRun: [LogitechVideo[inspector]] d:\program files\logitech\video\InstallHelper.exe /inspect
    mRun: [LogitechCameraService(E)] d:\windows\system32\ElkCtrl.exe /automation
    mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
    mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
    mRun: [ieogrge_v14] d:\program files\ieogrge_v14\ieogrge_v14.exe
    mRun: [ISTray] "d:\program files\spyware doctor\pctsTray.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    StartupFolder: d:\docume~1\vince\startm~1\programs\startup\fgsfds.lnk - d:\program files\malwarebytes' anti-malware\fgsfds.exe
    StartupFolder: d:\docume~1\vince\startm~1\programs\startup\pandora.lnk - d:\program files\pandora\Pandora.exe
    StartupFolder: d:\docume~1\vince\startm~1\programs\startup\trillian.lnk - d:\program files\trillian 4.2\trillian.exe
    IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Free YouTube to Mp3 Converter - d:\documents and settings\vince\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\progra~1\micros~2\office12\GR99D3~1.DLL
    AppInit_DLLs: acphelp.dll acpclient.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~2\office12\GRA8E1~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - d:\docume~1\vince\applic~1\mozilla\firefox\profiles\9ambmtto.default\
    FF - prefs.js: browser.search.selectedEngine - Search
    FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
    FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Exif Viewer: [email protected] - d:\docume~1\vince\applic~1\mozilla\firefox\profiles\9ambmtto.default\extensions\[email protected]
    FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - d:\docume~1\vince\applic~1\mozilla\firefox\profiles\9ambmtto.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Extension: Personas: [email protected] - d:\docume~1\vince\applic~1\mozilla\firefox\profiles\9ambmtto.default\extensions\[email protected]
    FF - Extension: Java Quick Starter: [email protected] - d:\program files\java\jre6\lib\deploy\jqs\ff

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    ============= SERVICES / DRIVERS ===============

    R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2010-12-6 217032]
    R2 Browser Defender Update Service;Browser Defender Update Service;d:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-12-6 112592]
    R2 npf;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2009-3-15 34064]
    R2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2010-12-6 366840]
    R2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2010-12-6 1142224]
    R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;d:\windows\system32\drivers\RTS5121.sys [2009-6-5 157696]
    S3 Rts516xIR;Realtek IR Driver;d:\windows\system32\drivers\rts516xir.sys --> d:\windows\system32\drivers\Rts516xIR.sys [?]

    =============== Created Last 30 ================

    2019-10-09 04:37:41 302184 ----a-w- d:\windows\amuninst.exe
    2010-12-07 02:11:36 -------- d-s---w- d:\documents and settings\vince\UserData
    2010-12-07 00:05:14 -------- d-----w- d:\docume~1\vince\locals~1\applic~1\Threat Expert
    2010-12-07 00:04:27 767952 ----a-w- d:\windows\BDTSupport.dll
    2010-12-07 00:04:26 1652688 ----a-w- d:\windows\PCTBDCore.dll
    2010-12-07 00:04:26 149456 ----a-w- d:\windows\SGDetectionTool.dll
    2010-12-07 00:04:25 165840 ----a-w- d:\windows\PCTBDRes.dll
    2010-12-06 23:59:23 233136 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
    2010-12-06 23:58:55 88040 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
    2010-12-06 23:58:55 217032 ----a-w- d:\windows\system32\drivers\PCTCore.sys
    2010-12-06 23:58:40 70408 ----a-w- d:\windows\system32\drivers\pctplsg.sys
    2010-12-06 23:58:20 -------- d-----w- d:\program files\common files\PC Tools
    2010-12-06 23:58:20 -------- d-----w- d:\docume~1\alluse~1\applic~1\PC Tools
    2010-12-06 23:58:19 -------- d-----w- d:\program files\Spyware Doctor
    2010-12-06 23:58:19 -------- d-----w- d:\docume~1\vince\applic~1\PC Tools
    2010-12-06 21:12:33 53248 ----a-w- d:\windows\system32\drivers\sst5EB.sys
    2010-12-06 21:12:33 0 ----a-w- d:\windows\system32\drivers\sst5EB.tmp
    2010-12-06 02:07:45 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx473.tmp
    2010-12-06 02:06:34 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx472.tmp
    2010-12-06 01:44:43 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx471.tmp
    2010-12-05 06:57:41 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3DE.tmp
    2010-12-05 06:20:23 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3DB.tmp
    2010-12-05 06:17:05 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3DA.tmp
    2010-12-05 06:15:44 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3D9.tmp
    2010-12-05 06:07:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3D5.tmp
    2010-12-05 06:03:27 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3D4.tmp
    2010-12-05 05:44:29 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx3D3.tmp
    2010-12-03 03:38:41 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx286.tmp
    2010-12-03 02:40:17 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx285.tmp
    2010-12-03 02:19:32 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx284.tmp
    2010-12-03 01:21:21 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx27A.tmp
    2010-12-03 01:13:03 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx279.tmp
    2010-12-03 00:57:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx278.tmp
    2010-12-02 23:59:32 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx25F.tmp
    2010-12-02 08:18:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1FD.tmp
    2010-12-02 08:07:42 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1FC.tmp
    2010-12-02 08:04:50 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1FB.tmp
    2010-12-02 07:09:03 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F8.tmp
    2010-12-02 06:54:57 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F7.tmp
    2010-12-02 06:29:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F6.tmp
    2010-12-02 06:10:54 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F5.tmp
    2010-12-02 05:52:31 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1EC.tmp
    2010-12-02 05:51:00 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1EB.tmp
    2010-12-02 05:50:02 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1EA.tmp
    2010-12-02 05:46:44 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E9.tmp
    2010-12-02 05:30:42 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E7.tmp
    2010-12-02 05:18:10 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E6.tmp
    2010-12-02 04:23:27 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E5.tmp
    2010-12-02 04:14:43 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E4.tmp
    2010-12-02 03:50:22 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E3.tmp
    2010-12-02 03:44:57 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1E2.tmp
    2010-12-01 23:00:27 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx195.tmp
    2010-12-01 22:39:34 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx194.tmp
    2010-12-01 22:31:34 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx193.tmp
    2010-12-01 22:15:15 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx173.tmp
    2010-12-01 22:09:37 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx172.tmp
    2010-12-01 22:07:24 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx171.tmp
    2010-12-01 22:04:22 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx170.tmp
    2010-12-01 22:02:08 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx16F.tmp
    2010-12-01 03:13:08 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx8D.tmp
    2010-12-01 03:03:02 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx8C.tmp
    2010-12-01 02:49:12 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx8B.tmp
    2010-11-29 03:44:44 -------- d-----w- d:\docume~1\vince\applic~1\Malwarebytes
    2010-11-29 03:44:06 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-29 03:44:05 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
    2010-11-29 03:44:05 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
    2010-11-29 03:44:05 -------- d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-11-29 03:29:37 -------- d-----w- d:\docume~1\vince\applic~1\FrostWire
    2010-11-25 18:04:26 -------- d-----w- d:\windows\system32\soii21_v262
    2010-11-24 23:17:32 -------- d-----w- d:\docume~1\vince\applic~1\com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1
    2010-11-24 23:17:31 -------- d-----w- d:\program files\Pandora
    2010-11-20 00:08:59 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx52E.tmp

    ==================== Find3M ====================

    2010-12-07 00:32:49 8404 --sha-w- d:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
    2010-11-26 07:16:53 23 ----a-w- d:\windows\dp_navi21_v120_dboot.dll
    2010-10-29 22:01:03 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx1F2.tmp
    2010-10-22 17:36:33 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx2AB9.tmp
    2010-10-22 16:18:08 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx2AB5.tmp
    2010-10-18 04:03:11 65536 ----a-w- d:\windows\IFinst27.exe
    2010-10-13 19:11:01 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx195D.tmp
    2010-10-13 19:02:34 0 ----a-w- d:\docume~1\alluse~1\applic~1\ISx195C.tmp

    ============= FINISH: 5:13:22.15 ===============


    ark.txt:
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-07 13:09:31
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD3200JS-60PDB0 rev.21.00M21
    Running: z07gczu5.exe; Driver: D:\DOCUME~1\Vince\LOCALS~1\Temp\kxtdypoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA5D2E64]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA5B2EEE]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA5B30E0]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA5D3652]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA5D3906]
    SSDT speu.sys ZwEnumerateKey [0xBA6CDDA4]
    SSDT speu.sys ZwEnumerateValueKey [0xBA6CE132]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA5D1B64]
    SSDT speu.sys ZwQueryKey [0xBA6CE20A]
    SSDT speu.sys ZwQueryValueKey [0xBA6CE08A]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA5D3D72]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA5D3124]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA5B2B5C]

    INT 0x63 ? 8A534BF8
    INT 0x63 ? 8A534BF8
    INT 0x63 ? 8A1BFBF8
    INT 0x63 ? 8A534BF8
    INT 0x73 ? 8A534BF8
    INT 0x73 ? 8A534BF8
    INT 0x73 ? 8A534BF8
    INT 0xA4 ? 8A1BFBF8

    ---- Kernel code sections - GMER 1.0.15 ----

    ? speu.sys The system cannot find the file specified. !
    INITc VolSnap.sys BA8F3978 4 Bytes [50, A5, 53, 80]
    INITc VolSnap.sys BA8F39A0 4 Bytes [A8, A1, 4F, 80]
    INITc VolSnap.sys BA8F39C8 4 Bytes [A6, AE, 4F, 80]
    INITc VolSnap.sys BA8F39F0 4 Bytes [20, FF, 4F, 80]
    INITc VolSnap.sys BA8F3A18 4 Bytes [6A, A8, 4F, 80]
    INITc ...
    .text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9A36360, 0x20574D, 0xE8000020]
    .text USBPORT.SYS!DllUnload B9A168AC 5 Bytes JMP 8A1BF1D8
    ? D:\DOCUME~1\Vince\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text D:\WINDOWS\system32\LVCOMSX.EXE[140] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01C60001
    .text D:\Program Files\Logitech\Video\CameraAssistant.exe[208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01C60001
    .text D:\WINDOWS\system32\ElkCtrl.exe[260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010D0001
    .text D:\Program Files\Java\jre6\bin\jusched.exe[284] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CC0001
    .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B90001
    .text ...
    .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1500] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10405CF5 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text D:\WINDOWS\system32\ctfmon.exe[1864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001
    .text D:\WINDOWS\system32\RUNDLL32.EXE[2032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DB0001
    .text D:\WINDOWS\RTHDCPL.EXE[2040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 022E0001
    .text D:\Program Files\Mozilla Firefox\firefox.exe[2108] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 D:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text D:\Program Files\Mozilla Firefox\firefox.exe[2108] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 012F0001
    .text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 012A000A
    .text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 006B000A
    .text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 006A000A
    .text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!send 71AB4C27 5 Bytes JMP 006C000A
    .text D:\Program Files\Mozilla Firefox\firefox.exe[2108] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 006D000A
    .text D:\WINDOWS\System32\alg.exe[2220] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00800001
    .text D:\WINDOWS\system32\taskmgr.exe[3060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001
    .text D:\WINDOWS\system32\ctfmon.exe[3360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D40001
    .text D:\WINDOWS\system32\notepad.exe[8068] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BE0001

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8A5331F8
    Device \Driver\usbohci \Device\USBPDO-0 8A1431F8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A4C51F8
    Device \Driver\dmio \Device\DmControl\DmConfig 8A4C51F8
    Device \Driver\dmio \Device\DmControl\DmPnP 8A4C51F8
    Device \Driver\dmio \Device\DmControl\DmInfo 8A4C51F8
    Device \Driver\usbehci \Device\USBPDO-1 8A1BE1F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{E3D3E239-3C9F-4A2C-959D-120112AE3BD9} 89B25500
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5351F8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5351F8
    Device \Driver\Cdrom \Device\CdRom0 8A1D01F8
    Device \Driver\atapi \Device\Ide\IdePort0 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort2 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort3 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort4 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort5 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys
    Device \Driver\NetBT \Device\NetBt_Wins_Export 89B25500
    Device \Driver\NetBT \Device\NetbiosSmb 89B25500
    Device \Driver\usbohci \Device\USBFDO-0 8A1431F8
    Device \Driver\usbehci \Device\USBFDO-1 8A1BE1F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89ADE500
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 89ADE500
    Device \Driver\Ftdisk \Device\FtControl 8A5351F8
    Device \FileSystem\Cdfs \Cdfs 89CA1500

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:148] 8A44858D
    Thread System [4:152] 8A449876

    ---- Processes - GMER 1.0.15 ----

    Process D:\WINDOWS\system32\Rundll32.exe (*** hidden *** ) 2212

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEF 0x43 0xB9 0xDE ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEF 0x43 0xB9 0xDE ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4C 0x82 0x6C 0xF7 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x64 0x08 0x64 0x90 ...

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 625142192 (+255): rootkit-like behavior;



    GMER has gotten stuck there several times. I don't really know what to do from here :/ I've tried turning off system restore and using MBAM in safe mode and in normal mode. It doesn't even recognize that I have a virus :/ and yes, it's updated to the most recent version.

    Edit: GMER is unstuck and is scanning now, will update with results when done.
     
  2. nt91

    nt91 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    5
    On subsequent runs, this is all GMER gave me:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-08 06:52:56
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD3200JS-60PDB0 rev.21.00M21
    Running: z07gczu5.exe; Driver: D:\DOCUME~1\Vince\LOCALS~1\Temp\kxtdypoc.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 625142192 (+255): rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    SSDT speu.sys ZwEnumerateKey [0xBA6CDDA4]
    SSDT speu.sys ZwEnumerateValueKey [0xBA6CE132]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdePort0 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort2 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort3 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort4 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort5 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [BA5E9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \FileSystem\Ntfs \Ntfs 8A5331F8

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:148] 8A44858D
    Thread System [4:152] 8A449876

    ---- EOF - GMER 1.0.15 ----
     
  3. nt91

    nt91 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    5
    I don't think the original post has the attach.txt attached to it, for some reason, so here it is.
     

    Attached Files:

  4. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,929
    Hi,

    Please do the following:

    Download ComboFix from one of the following locations:
    Link 1
    Link 2

    VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    • Double click on ComboFix.exe & follow the prompts.
    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    • Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
     
  5. nt91

    nt91 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    5
    Hi, I got a bit antsy with waiting and so I followed the instructions given in this thread up to the Kaspersky step. The redirection problem seems to be gone, Malwarebytes detects nothing (although it did this before too), so I think it's mainly gone. I still have a problem where occasionally when I click on a website in a google search I get redirected to cheapwebhostingdeal.com briefly before being redirected back to google.com.

    Edit: The internet explorer process also is still running in the background and just comes back when closed. So, should I just start from the beginning with going through combofix and everything?

    Edit #2: The Kaspersky thing isn't working. Says I need to restart every time.
     
  6. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,929
    Please follow the instructions from my previous post
     
  7. nt91

    nt91 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    5
    Actually, I think I solved it. I have Spyware Doctor and Malwarebytes Pro running now. I also ran tdsskiller.
     
  8. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,929
    OK

    Thanks for letting me know

    I am unsubscribing from this thread, so if you find any malware remaining, please start a new topic
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/967034