Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91983 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Search engine hijacked - self help didn't work


  • This topic is locked This topic is locked
6 replies to this topic

#1 bradlyco

bradlyco

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 05 November 2009 - 07:17 PM

I noticed my searches in google and others, when clicked, took me to random link sites. I was running AVG 8.5, then when this started, I noticed it had updated to AVG 9.0 and the firewall was off. I uninstalled AVG and installed AVAST, plus IOBit360. They found two Trojans and said they fixed it, but my search bar is still hikacked and I am getting clean scans. I ran ATF Cleaner and Malware Bytes anti malware, which said I am clean. Any help would be greatly appreciated. Here is thie DDS report: DDS (Ver_09-10-26.01) - NTFSx86 Run by Brad at 19:55:19.41 on Thu 11/05/2009 Internet Explorer: 8.0.7100.0 BrowserJavaVersion: 1.6.0_13 Microsoft Windows 7 Ultimate 6.1.7100.0.1252.1.1033.18.2558.1470 [GMT -5:00] ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k apphost C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Windows\system32\ASTSRV.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\IObit\IObit Security 360\IS360srv.exe C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe C:\Windows\system32\Dwm.exe C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\taskhost.exe C:\Windows\Explorer.EXE C:\Windows\system32\PSIService.exe C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\system32\svchost.exe -k iissvcs C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\IObit\IObit Security 360\is360tray.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Users\Brad\AppData\Local\Citrix\GoToAssist Express Expert\185\g2ax_start.exe C:\Program Files\MultiClipBoard\MultiClipBoard.exe C:\Program Files\FreeClip\Spartan.exe C:\Users\Brad\AppData\Local\Citrix\GoToAssist Express Expert\185\g2ax_comm_expert.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Users\Brad\AppData\Local\Citrix\GoToAssist Express Expert\185\g2ax_user_expert.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe C:\Program Files\IObit\IObit Security 360\is360.exe C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe C:\Program Files\IObit\Advanced SystemCare 3\Sup_DiskCleaner.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\taskhost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\Brad\Desktop\dds.scr C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.msn.com mStart Page = hxxp://www.msn.com uInternet Settings,ProxyOverride = actsvr.comcastonline.com;*.local uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100 uURLSearchHooks: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIObi.dll mURLSearchHooks: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIObi.dll mURLSearchHooks: H - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIObi.dll BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component \fastsearch_B7C5AC242193BB3E.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIObi.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [RCUI] "c:\program files\ringcentral\ringcentral call controller\RCUI.exe" uRun: [RCHotKey] "c:\program files\ringcentral\ringcentral call controller\RCHotKey.exe" uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [GoToAssist Express Expert] "c:\users\brad\appdata\local\citrix\gotoassist express expert\185\g2ax_start.exe" "/Trigger RunAtLogon" uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe mRun: [UVS12 Preload] c:\program files\corel\corel videostudio 12\uvPL.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe" StartupFolder: c:\users\brad\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program \quickstart.exe StartupFolder: c:\users\brad\appdata\roaming\micros~1\windows\startm~1\programs\startup\spartan.lnk - c:\program files\freeclip\Spartan.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\multic~1.lnk - c:\program files\multiclipboard\MultiClipBoard.exe mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer \0.5.33.0\gears.dll IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: real.com\rhap-app-4-0 Trusted Zone: real.com\rhapreg DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab AppInit_DLLs: c:\progra~1\google\google~4\GO36F4~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\users\brad\appdata\roaming\mozilla\firefox\profiles\43gtcsf0.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p= FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll FF - component: c:\users\brad\appdata\roaming\mozilla\firefox\profiles\43gtcsf0.default\extensions\{18b8f08d-62fe-4dfc-ad6c-9ce46515d5ec}\components \Engine.dll FF - component: c:\users\brad\appdata\roaming\mozilla\firefox\profiles\43gtcsf0.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt \components\ColorZilla.dll FF - component: c:\users\brad\appdata\roaming\mozilla\firefox\profiles\43gtcsf0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86 -msvc\components\ipc.dll FF - component: c:\users\brad\appdata\roaming\mozilla\firefox\profiles\43gtcsf0.default\extensions\{eecba28f-b68b-4b3a-b501-6ce12e6b8696}\platform\winnt_x86 -msvc\components\winprocess.dll FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - fales FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-3 114768] R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2009-6-30 147416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-3 20560] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-3 53328] R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-11-3 312592] R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-9-15 188736] R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512] R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2009-5-28 391296] R3 NVNET;NVIDIA nForce Ethernet Driver;c:\windows\system32\drivers\nvmf6232.sys [2009-5-19 287008] R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-4-21 980992] R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-4-21 266752] S2 gupdate1c9fc043d84a630;Google Update Service (gupdate1c9fc043d84a630);c:\program files\google\update\GoogleUpdate.exe [2009-7-3 133104] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-4-21 229888] S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-26 54632] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864] S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-7-3 30192] S3 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2009-4-8 42888] S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-3-31 47128] S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336] S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936] =============== Created Last 30 ================ 2009-11-05 00:50:45 1908 ----a-w- c:\windows\diagwrn.xml 2009-11-05 00:50:45 1908 ----a-w- c:\windows\diagerr.xml 2009-11-03 23:28:31 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2009-11-03 22:53:32 0 d-----w- c:\programdata\IObit 2009-11-03 22:53:30 0 d-----w- c:\program files\Conduit 2009-11-03 22:53:29 0 d-----w- c:\program files\IObitCom 2009-11-03 22:53:24 0 d-----w- c:\users\brad\appdata\roaming\IObit 2009-11-03 22:53:24 0 d-----w- c:\program files\IObit 2009-11-03 03:13:55 20 ----a-w- c:\windows\system32\SYSTEM 2009-10-27 00:29:33 54632 ----a-w- c:\windows\system32\drivers\fssfltr.sys 2009-10-25 22:24:23 327680 ----a-w- c:\windows\system32\DartZip.dll 2009-10-25 22:24:23 245760 ----a-w- c:\windows\system32\DartFtp.dll 2009-10-25 22:24:23 221184 ----a-w- c:\windows\system32\DartSock.dll 2009-10-25 22:24:23 204800 ----a-w- c:\windows\system32\DartSecure2.dll 2009-10-25 22:24:23 163840 ----a-w- c:\windows\system32\DartCertificate.dll 2009-10-25 22:24:23 0 d-----w- c:\users\brad\appdata\roaming\DzSoft 2009-10-25 22:24:23 0 d-----w- c:\program files\DzSoft 2009-10-24 02:38:18 0 d-----w- c:\programdata\avg9 2009-10-24 00:19:27 0 d-----w- c:\programdata\Temp 2009-10-18 16:18:06 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll 2009-10-18 16:18:06 17728 ----a-w- c:\windows\system32\nitrolocalui.dll 2009-10-18 16:17:35 0 d-----w- c:\programdata\Nitro PDF 2009-10-18 16:17:35 0 d-----w- c:\program files\common files\Nitro PDF 2009-10-18 16:14:02 0 d-----w- c:\users\brad\appdata\roaming\Downloaded Installations 2009-10-18 16:10:57 176235 ----a-w- c:\windows\system32\Primomonnt.dll 2009-10-18 16:10:53 0 d-----w- c:\program files\Nitro PDF 2009-10-14 20:11:17 108920 ----a-w- c:\users\brad\g2ax_expert_downloadhelper_win32_x86.exe 2009-10-14 07:00:53 306688 ----a-w- c:\windows\system32\drivers\srv2.sys 2009-10-10 22:24:57 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-10-10 22:24:57 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2009-10-10 22:24:33 0 d-----w- c:\program files\iPod 2009-10-10 22:24:32 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-10-10 22:24:32 0 d-----w- c:\program files\iTunes 2009-10-10 22:24:20 0 d-----w- c:\program files\Bonjour 2009-10-10 22:20:36 0 d-----w- c:\programdata\Apple Computer ==================== Find3M ==================== 2009-10-31 06:13:02 147416 ----a-w- c:\windows\system32\drivers\cbfs.sys 2009-10-27 13:35:27 848 --sha-w- c:\programdata\KGyGaAvL.sys 2009-10-01 14:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe 2009-09-28 17:00:24 311560 ----a-w- c:\windows\system32\PPPFilt.dll 2009-09-25 01:43:42 715638 ----a-w- c:\windows\XSitePro2 Uninstaller.exe 2009-09-15 14:17:16 61760 ----a-w- c:\windows\system32\ASTSRV.EXE 2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-04-22 09:01:08 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat 2009-04-22 09:01:08 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat 2009-04-22 09:01:08 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat 2009-04-22 09:01:08 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat 2009-04-22 08:14:13 174 --sha-w- c:\program files\desktop.ini 2009-04-22 04:38:41 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat 2009-04-22 04:38:41 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat 2009-04-22 04:38:39 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat 2009-04-22 04:38:39 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat 2009-03-27 04:24:20 9633792 --sha-r- c:\windows\fonts\StaticCache.dat 2009-07-01 00:28:58 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat 2009-08-06 00:23:21 848 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-04-22 05:19:40 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail- app_31bf3856ad364e35_6.1.7100.0_none_624b25e9a4cb0444\WinMail.exe ============= FINISH: 19:57:10.56 =============== And here is the MalwareByte report: Malwarebytes' Anti-Malware 1.41 Database version: 3109 Windows 6.1.7100 11/5/2009 8:05:09 PM mbam-log-2009-11-05 (20-05-09).txt Scan type: Quick Scan Objects scanned: 105023 Time elapsed: 4 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 08 November 2009 - 08:17 AM

Hi,

Please run the following scan:

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 bradlyco

bradlyco

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 08 November 2009 - 11:06 AM

Thanks, for helping out. I have taken the infected computer to my office and cannot follow your suggestions until Monday morning. Please stick with me on this, I will let you know as soon as I can follow your instructions tomorrow.

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 08 November 2009 - 11:07 AM

:thumbup:

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 bradlyco

bradlyco

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 10 November 2009 - 12:46 PM

Thank you for taking the time to help me, but I decided to wipe it all out and sart over (thankfully, I had been backing up the important stuff). I started fresh with Norton 360 on a clean hardrive and scanned all the backed up items. So far, so good. Thanks again.

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 10 November 2009 - 08:49 PM

Hi, Thanks for letting me know

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 10 November 2009 - 08:49 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users