18 replies to this topic

[spartin]

When I click on google search result links, my browser is redirected other sites. Sometimes when I hit the back button I go directly back to the search results, sometimes I get redirected to yet another page, sometimes the page I'm on just reloads forever. I first noticed the problem a few days ago and I have tried a few fixes but to no avail. First, I tried malwarebytes. I did a thorough scan and in the middle of it, Avast!, my antivirus gives me warning. I opt to move the virus to the chest. Then the warning pops up again. same thing. This happens 4 times in a row. After the scan I open the chest and find that the virus is described as "Win32:MalOb-C[cryp]." This did not take care of the issue. I tried running a boot scan with Avast! and then when I jumped back online Avast! blocked one redirect attempt, then the redirects just kept on coming. I was going to run malwarebytes and/or spybot s&d in safe mode, but when I try to go into safe mode I get the following message:

"can't restart in safemode because the following file is missing or corrupt: <windows root>\system32\hal.dll"

I'm running XP media center edition and it has no problem booting in normal mode. I also ran spybot s&d and it found some problems, which I fixed, but that did not clear up the browser redirection issue.

So, a few hours ago I uninstalled malwarebytes, ran Atribune's ATF Cleaner. Did a fresh install of malwarbytes and ran it again. It found nothing. Then, I scanned with Hijack This. Here is the logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:15 AM, on 10/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Quest/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Quest/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

Thanks for any help you can provide.

[Tomk]

Hi spartin,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

[spartin]

Thanks, Tomk, Sorry for the slow response. Unfortunately, there is no log to post because the Kaspersky scan did not find any threats, infections or suspicious stuff. I started the scan, then about 10% into it stopped because I finally noticed on the page displaying the scan statistics there was a notice saying that my anti-virus should be turned off to allow Kaspersky to scan anti-virus files. So, I re-ran it with my anti-virus (AVAST!) disabled. Also worth mentioning is that, after I posted on this forum, but before you got back to me, I downloaded and ran stopzilla. It found Vundo.T, a file found in C:\programfile\winrar\zip.sfx. I found the file using Malwarebytes file assassin and deleted it. That did not resolve my issue. Stopzilla also found WhenU.search, a directory located in C:\program files\WSN. I have done nothing to remove this. I did not buy Stopzilla, so I cannot remove the infections it found with that program. I would like to buy it but cannot afford to do so right now. Is there a way to remove those infections with some other tool? I am imagining that my browser redirect issues may not even be related to those 2 infections. Thank you in advance! -spartin

[Tomk]

spartin,

I wouldn't buy StopZilla.

Download Rooter.exe to your desktop

• Then doubleclick it to start the tool
  
• A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

Please download DDS by sUBs from one of the following links and save it to your desktop.

• • DDS.scr
  • DDS.pif
• Disable any script blocking protection (How to Disable your Security Programs)
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.

[spartin]

Thanks, Tomk, HERE IS THE ROOTER SCAN REPORT: Rooter.exe (v1.0.2) by Eric_71 . SeDebugPrivilege granted successfully ... . Windows XP . (5.1.2600) Service Pack 2 [32_bits] - x86 Family 15 Model 44 Stepping 0, AuthenticAMD . [wscsvc] (Security Center) RUNNING (state:4) [SharedAccess] RUNNING (state:4) Windows Firewall -> Enabled . Internet Explorer 7.0.5730.11 . C:\ [Fixed-NTFS] .. ( Total:186 Go - Free:5 Go ) D:\ [CD_Rom] E:\ [CD_Rom] F:\ [Removable] G:\ [Removable] H:\ [Removable] I:\ [Removable] . Scan : 23:37.20 Path : C:\Documents and Settings\Owner\Desktop\Rooter.exe User : Owner ( Administrator -> YES ) . ----------------------\\ Processes . Locked [System Process] (0) ______ System (4) ______ \SystemRoot\System32\smss.exe (484) ______ \??\C:\WINDOWS\system32\csrss.exe (548) ______ \??\C:\WINDOWS\system32\winlogon.exe (580) ______ C:\WINDOWS\system32\services.exe (628) ______ C:\WINDOWS\system32\lsass.exe (640) ______ C:\WINDOWS\system32\Ati2evxx.exe (808) ______ C:\WINDOWS\system32\svchost.exe (828) ______ C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe (880) ______ C:\WINDOWS\system32\svchost.exe (960) ______ C:\WINDOWS\System32\svchost.exe (1036) ______ C:\WINDOWS\system32\svchost.exe (1088) ______ C:\WINDOWS\system32\svchost.exe (1228) ______ C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (1288) ______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (1328) ______ C:\Program Files\Alwil Software\Avast4\ashServ.exe (1392) ______ C:\WINDOWS\system32\spoolsv.exe (1660) ______ C:\WINDOWS\system32\svchost.exe (1792) ______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1828) ______ C:\Program Files\Bonjour\mDNSResponder.exe (1856) ______ C:\WINDOWS\eHome\ehRecvr.exe (1920) ______ C:\WINDOWS\eHome\ehSched.exe (1972) ______ C:\WINDOWS\system32\inetsrv\inetinfo.exe (188) ______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (216) ______ C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (404) ______ C:\WINDOWS\system32\svchost.exe (544) ______ C:\WINDOWS\system32\svchost.exe (1180) ______ C:\WINDOWS\ehome\mcrdsvc.exe (956) ______ C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (2204) ______ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (2256) ______ C:\WINDOWS\system32\dllhost.exe (2316) ______ C:\WINDOWS\System32\alg.exe (2732) ______ C:\WINDOWS\system32\Ati2evxx.exe (3492) ______ C:\Program Files\STOPzilla!\STOPzilla.exe (3524) ______ C:\WINDOWS\Explorer.EXE (3640) ______ C:\WINDOWS\system32\wuauclt.exe (3696) ______ C:\WINDOWS\system32\ctfmon.exe (3820) ______ C:\WINDOWS\SOUNDMAN.EXE (3892) ______ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (4000) ______ C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe (4024) ______ C:\WINDOWS\ehome\ehtray.exe (4032) ______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (4048) ______ C:\WINDOWS\vsnp2std.exe (4064) ______ C:\Program Files\iTunes\iTunesHelper.exe (4080) ______ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (520) ______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (516) ______ C:\WINDOWS\eHome\ehmsas.exe (1936) ______ C:\Program Files\iPod\bin\iPodService.exe (2656) ______ C:\Program Files\Mozilla Firefox\firefox.exe (2816) ______ C:\WINDOWS\system32\wscntfy.exe (3412) ______ C:\Documents and Settings\Owner\Desktop\Rooter.exe (3572) . ----------------------\\ Device\Harddisk0\ . \Device\Harddisk0 [Sectors : 63 x 512 Bytes] . \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:200038777344) . ----------------------\\ Scheduled Tasks . C:\WINDOWS\Tasks\AppleSoftwareUpdate.job C:\WINDOWS\Tasks\desktop.ini C:\WINDOWS\Tasks\Google Software Updater.job C:\WINDOWS\Tasks\SA.DAT . ----------------------\\ Registry . . ----------------------\\ Files & Folders . ----------------------\\ Scan completed at 23:37.55 . C:\Rooter$\Rooter_1.txt - (12/10/2009 | 23:37.55) HERE IS THE DDS.TXT REPORT: DDS (Ver_09-10-13.01) - NTFSx86 Run by Owner at 23:44:07.85 on Mon 10/12/2009 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1155 [GMT -4:00] AV: avast! antivirus 4.8.1351 [VPS 091012-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\STOPzilla!\STOPzilla.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\vsnp2std.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Owner\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearch Bar = hxxp://www.google.com/ie uStart Page = hxxp://www.emachines.com/ uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uInternet Settings,ProxyOverride = *.local mSearchAssistant = hxxp://www.google.com/ie BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [SoundMan] SOUNDMAN.EXE mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [snp2std] c:\windows\vsnp2std.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" dRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: line6.net Trusted Zone: turbotax.com DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Quest/Images/stg_drm.ocx DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Quest/Images/armhelper.ocx DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-2 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-2 20560] R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2006-10-27 33792] R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2006-10-26 472832] R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-7-15 29312] S3 Alesis1394;Alesis Firewire Driver;c:\windows\system32\drivers\Alesis1394.sys [2006-12-1 111744] S3 Alesis1394Midi;%Alesis1394Midi.SvcDesc%;c:\windows\system32\drivers\Alesis1394Midi.sys [2006-12-1 16640] S3 Alesis1394Strm;%Alesis1394Strm.SvcDesc%;c:\windows\system32\drivers\Alesis1394Strm.sys [2006-12-1 18176] S3 ffPro26IO_1394;ffPro26IO_1394;c:\windows\system32\drivers\ffPro26IO_1394.sys [2007-8-3 116736] S3 ffPro26IO_avs;ffPro26IO_avs;c:\windows\system32\drivers\ffPro26IO_avs.sys [2007-8-3 44544] S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-16 31592] S3 L6TPortA;Service - Line 6 TonePort UX1;c:\windows\system32\drivers\L6TPortA.sys [2006-9-29 472832] =============== Created Last 30 ================ 2009-10-09 13:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard 2009-10-09 13:36 <DIR> --d----- c:\program files\STOPzilla! 2009-10-09 13:36 <DIR> --d----- c:\program files\common files\iS3 2009-10-09 13:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla! 2009-10-09 00:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-07 20:16 <DIR> --d----- c:\program files\Trend Micro 2009-10-06 13:12 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes 2009-10-06 13:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes ==================== Find3M ==================== ============= FINISH: 23:45:53.95 =============== ATTACHED IS DDS ATTACH Thanks, -Spartin

Attached Files

•  Attach.txt   18.9KB   303 downloads

[Tomk]

spartin,

Let's try this:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[spartin]

Thanks Tomk, Unfortunately, I waited and now it's too late. Last night as I went into the office to shut down the pc I found a blue screen of death which read "A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps: Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters. Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select safe Mode. Technical Information: ***STOP: 0x0000007E (0x80000003, 0x805B8424, 0xBA4E32B8," 0xBA4E2FB4)" As I previously stated, I can't start in Safe Mode and instead get the following message: "Windows could not start because the following file is missing or corrupt: <Windows root>\system32\hal.dll" Thank you for all of your help so far. Please advise. -Spartin

[Tomk]

spartin,

Please reboot and tap F8 like you are going for safe mode, but instead of choosing safe mode, select Last known good configuration.

Let me know how it goes.

[spartin]

Thanks Tomk, I tried selecting last known good configuration, but windows would not boot up. So, I tried popping in my windows bootable cd to try and repair or replace the missing or corrupt hal.dll file. However, my emachines version of system restore only gives me 2 options for beginning the system restore process. Full system restore which wipes out everything or full system restore with back-up. I chose the latter because at this point I am thinking that losing my apps is not that big of a deal and I will settle for retrieving my data. The computer read all 5 cd's successfully, after the files from the final cd were installed I clicked ok to restart the machine, windows booted up, then it began completing the set-up. It got all the way to installing applications" and froze. It looked like these were the factory pre-install programs like micrsoft works, Norton, etc. I had to manually turn off the PC. I began booting it back up and then it froze at about the same spot as before. I went through this routine about 6 or 7 times and eventually it froze up at an earlier point in the process (recognizing devices). Now when I try to boot up the machine the windows logo displays, the os begins booting up, then I get a dialog box that reads "The system is not fully installed. Please run set up again." What do you recommend? -Spartin

[Tomk]

spartin, I'm not familiar with system restore with backup. Did it allow you to backup your files before attempting to restore your operating system? Do you happen to have any friends or family members with a Windows XP media center disk?

[spartin]

Hi Tomk, No and No. The system restore with back up option (powered by PC Angel) states that all Hard Disk contents will be moved to the "c:\My Backup" directory and a new copy of Windows will be installed. It also states that this option preserves your existing files, however all applications and settings will need to be reinstalled. I don't know anyone with a Media Center XP disk. I could do a fresh install with the emachines disks, but then I would lose all of my data. What should I do? Thanks, -Spartin

[Tomk]

spartin, The hal.dll error is most often the result of a corrupt boot.ini file. We can attempt to rebuild from the recovery console but I don't believe that the discs you have allow for that. Please see if you can borrow any XP disk from friends or family. We can then attempt to boot from it into the recovery console and see if we can rebuild the boot.ini file.

[spartin]

Thanks Tomk, Before I try that, I'm going to see if I can rescue my data with Knoppix. -Spartin

[Tomk]

spartin, Good choice. For most users that is a "scary" step. However, if you are comfortable with it, I'd say it's your best bet. Backup your data then reformat and reinstall.

[spartin]

Tomk, Koppix worked great and was easy to use. All my data has been rescued. Now to reformat and re-install...Thanks for your help. -Spartin