Redirected from google search results!

When i do a search on google and click on the title of a search result, i keep getting redirected to random websites such as "rpicamps.com" and "camouflageclothingonline.net "
I ran a search on Ad-Aware SE and nothing came up. I also read previous threads of people with this problem but i cannot find the files they removed on mi computer. heres my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:12:10 PM, on 18/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINPENJR\win32\pphidpad.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\algs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

F3 - REG:win.ini: run=C:\WINPENJR\win32\custom.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mops.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\system32\algs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

please help!

 

Hello and welcome to WindowsBBS Forums.

Ok, looks to a worm or trojan of some sort, depending on who you read about it from.

We'll grab a couple of online scnas and fix with HJT to remove.

Panda ActiveScan

• Click the [Scan your PC] button. ( You may have to disable any pop up blockers)
• Then press the green [Check Now] button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

KAV SCAN:
Kaspersky Online Scanner

Click on Kaspersky Online Scanner icon.
Accept the Kaspersky agreement and the program will load.
You will then be prompted to install an ActiveX component from Kaspersky, click Yes

The program will then begin downloading the latest definition files. This will take a good while, even with hi-speed Internet access.
Once the files have been downloaded click on Next

Now click on [Scan Settings] button.
In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
• Extended (if available otherwise Standard)

• Scan Options:
  Scan Archives
  Scan Mail Bases

Click OK

Now under the Please select a target to scan:
Select My Computer

The program will begin the scanning process.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Then click on the [Save as Text] button
Save the file to your desktop.

Copy and paste that information in your next post for me to review.

Once those are done, Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mops.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\system32\algs.exe

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\system32\ipv6mops.dll<<<--this file
C:\WINDOWS\system32\algs.exe<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please along with the other two logs as well.

 

Thanks for the reply!
i found the other two in HJT and fixed them, but i could not find
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\system32\algs.exe

also, when i restarted in Safe mode, i found and delete the "ipv6mops.dll" but could not find "algs.exe "

here is the Panda Active scan log:
Incident Status Location
Virus:W32/SdBot.KGN.worm Disinfected Operating system
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Joan\Cookies\joan@ad.yieldmanager[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Joan\Cookies\joan@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Joan\Cookies\joan@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Joan\Cookies\joan@azjmp[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Joan\Cookies\joan@bs.serving-sys[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Joan\Cookies\joan@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Joan\Cookies\joan@doubleclick[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Joan\Cookies\joan@errorsafe[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Joan\Cookies\joan@fastclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Joan\Cookies\joan@media.fastclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Joan\Cookies\joan@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Joan\Cookies\joan@overture[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Joan\Cookies\joan@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Joan\Cookies\joan@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Joan\Cookies\joan@stats1.reliablestats[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Joan\Cookies\joan@systemdoctor[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Joan\Cookies\joan@www.errorsafe[1].txt
Virus:Trj/Spy.G Disinfected C:\WINDOWS\system32\main.sys
Virus:Trj/Agent.EXM Disinfected C:\WINDOWS\system32\wknxiitv.exe

Here is the KasperSky log:
Thursday, April 19, 2007 10:15:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/04/2007
Kaspersky Anti-Virus database records: 299205


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 28347
Number of viruses found 3
Number of infected objects 18 / 0
Number of suspicious objects 0
Duration of the scan process 02:03:58

Infected Object Name Virus Name Last Action
C:\as.txt Object is locked skipped

C:\Documents and Settings\Joan\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Working\database_B804_8835_487_F522\dfsr.db Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Working\database_B804_8835_487_F522\fsr.log Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Working\database_B804_8835_487_F522\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Working\database_B804_8835_487_F522\tmp.edb Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows Live Contacts\red_bread@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows Live Contacts\red_bread@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\History\History.IE5\MSHist012007041920070420\index.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temp\~DF4825.tmp Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temp\~DF4835.tmp Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temp\~DF8665.tmp Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temp\~DF8954.tmp Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Joan\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Joan\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0004231.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0004265.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0004266.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0004273.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0005265.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0005266.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0005273.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0006265.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0006266.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0006273.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007265.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007266.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007272.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007277.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007278.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007285.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.m skipped

C:\WINDOWS\system32\ws2_32.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:13:10 PM, on 19/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINPENJR\win32\pphidpad.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

F3 - REG:win.ini: run=C:\WINPENJR\win32\custom.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

Thanks!

 

OK, this is going to require a very advanced procedure and I need to get some assistance with it.

Please be patient as I await that help, thanks.

 

ok, i dont know if anything is still wrong, but i dont get redirected anymore from google search results.

 

Hi,

TeMerc asked me to pop in here to have a look.
One of your system files is infected and we gotta replace it. This is a bit difficult since winlogon is always running and therefore can't be overwritten.
Infected winlogon is also going to re-install some of the junk that was already removed by Panda and your other scans so while we fix winlogon we'll also remove the rest of the junk if its there.

Print out instructions please. You will not have access to this page or much else for that matter during fix. Almost everything that is required to run windows won't be running.

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it.

Open Gmer folder and double click Gmer.exe.
If you get warning about gmer driver installing... allow it.
If you get warning about possible rootkit activity click NO at the scan prompt.

Click the "processes" tab at top.

Click "safe" at right.
You will be prompted to shut down machine. Say OK.

When you reboot you will get prompt to boot to Gmer Safe.
Say OK.

At this point you have access to pretty much nothing. Gmer is in control "so to speak ". Whatever we do is going to be done through Gmer.
Do NOT close the Gmer window or you will be forced to reboot.

At the bottom of Gmer window where it says "run" type:
cmd.exe
A command box opens.

Type the following commands and hit enter after each one:
Note where I have any spaces and quotes in the commands.

copy c:\windows\system32\dllcache\winlogon.exe c:\windows\system32

You should be prompted to overwrite the one already there. Type yes and hit enter.
With these commands you may encounter errors saying service or file does not exist. Thats OK. Keep going.

Type:

sc delete EXAMPLE
sc delete Runtime
del c:\windows\system32\main.sys
del c:\windows\system32\drivers\runtime.sys
del c:\windows\system32\wsys.dll


Now type: "c:\program files\Hijackthis\Hijackthis.exe "

hijackthis opens.
Click "open misc tools options "
Click "Open ADSSpy "
UNcheck "quickscan (windows base folder only) "
Click "scan "
Wait till scan is done.

Once finished you should see listing for this:

C:\WINDOWS\system32\ws2_32.dll:fork2:$DATA

Checkmark that item and click "remove selected "
OK the prompt.
Rescan to confirm it is gone.

Exit Hijackthis
Exit the cmd window
At right of Gmer click "restart "
OK prompt to shut down machine.
If machine does not reboot then restart it manually yourself (reset)

Once restarted please run new full scan at Kaspersky site, save log & post results.
Post fresh hijackthis log as well.
You will likely need 2 posts to get both logs in.

Let us know how system is running. Let me know if you had problems along the way.

Thanks

 

Here's the Kavscan log:
Saturday, April 21, 2007 8:05:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/04/2007
Kaspersky Anti-Virus database records: 300202


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 35648
Number of viruses found 5
Number of infected objects 47 / 0
Number of suspicious objects 0
Duration of the scan process 01:23:50

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Joan\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Working\database_B804_8835_487_F522\dfsr.db Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Working\database_B804_8835_487_F522\fsr.log Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Working\database_B804_8835_487_F522\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Messenger\red_bread@hotmail.com\SharingMetadata\Working\database_B804_8835_487_F522\tmp.edb Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows Live Contacts\red_bread@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows Live Contacts\red_bread@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\History\History.IE5\MSHist012007042120070422\index.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temp\~DF1815.tmp Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temp\~DF1831.tmp Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temp\~DF262B.tmp Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temp\~DF267B.tmp Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Joan\Local Settings\Temporary Internet Files\Content.IE5\X84VL1GD\api2_rest[7].xml Object is locked skipped

C:\Documents and Settings\Joan\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Joan\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0004231.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0004265.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0004266.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0004273.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0005265.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0005266.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0005273.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0006265.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0006266.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0006273.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007265.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007266.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007272.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007277.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007278.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007285.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP25\A0007333.sys Infected: Rootkit.Win32.Agent.dp skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007373.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007374.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007390.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007405.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007406.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007412.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007428.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007429.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007436.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007441.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007442.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007449.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007452.sys Infected: Rootkit.Win32.Agent.eb skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007470.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007471.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007477.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007479.sys Infected: Rootkit.Win32.Agent.eb skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP27\A0007484.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP27\A0007485.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP27\A0007495.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP27\A0007499.sys Infected: Rootkit.Win32.Agent.eb skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP27\A0007501.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP27\A0007502.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP27\A0007509.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP28\A0007592.sys Infected: Rootkit.Win32.Agent.eb skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP28\A0007594.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP28\A0007595.exe Infected: Trojan.Win32.Patched.m skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP28\A0008594.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP28\A0008597.sys Infected: Rootkit.Win32.Agent.el skipped

C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP28\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\ksys.sys Infected: Rootkit.Win32.Agent.eb skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

and heres the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:06:14 PM, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

F3 - REG:win.ini: run=C:\WINPENJR\win32\custom.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

the kavscan found a lot of trojans
i think if i'll keep trying and if i can't fix it i'll just format it again

 

Hi,

Don't worry about the stuff found in System Volume Information folders. That is your system restore and we'll clear that out when we are done.
All those items KAV shows as "locked" is normal. System locks several files and nothing can access them.

Looks like you got winlogon replaced OK and also got rid of the bad ADS attached to that other file.

Your scan shows one nastie left. I'm not sure this is all but it does look like we are getting somewhere.

C:\WINDOWS\system32\ksys.sys Infected: Rootkit.Win32.Agent.eb skipped

I suspect several security changes have been made and the next tool we use *should* fix that and remove the above file.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

I would also like to see a bootlog when you have done the above.

Click start> run> type msconfig and hit enter.
Click the boot.ini tab.
Checkmark /Bootlog
Click "Apply" and "close ".
Go ahead and reboot.

Once restarted you can check the box that says "don't tell me this again...." at the msconfig prompt, then OK.

Post results of this file:

C:\windows\ntbtlog.txt

If troubles posting it you can upload it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

Thanks

 

Sorry, bit late because holidays finished

Heres the SDFix:

SDFix: Version 1.79

Run by Joan - Thu 26/04/2007 - 21:48:14.23

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE
NDnet1
Runtime

ImagePath:
\??\C:\WINDOWS\system32\main.sys
\??\C:\WINDOWS\system32\ksys.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys

EXAMPLE - Deleted
NDnet1 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\as.txt - Deleted
C:\WINDOWS\system32\2_exception.nls - Deleted
C:\WINDOWS\system32\ksys.sys - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Messenger\\msmsgs.exe "= "C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"C:\\StubInstaller.exe "= "C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer "
"C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe "= "C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe:*:Enabledatcher MFC ?? ???? "
"C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe "= "C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe:*:Enabledatcher MFC ?? ???? "
"C:\\Program Files\\LimeWire\\LimeWire.exe "= "C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire "
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "= "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home "
"C:\\Program Files\\Valve\\hl.exe "= "C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher "
"C:\\Program Files\\Hamachi\\hamachi.exe "= "C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client "


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Joan\Application Data\Microsoft\Word\~WRL0606.tmp
C:\Documents and Settings\Joan\Application Data\Microsoft\Word\~WRL2080.tmp
C:\Documents and Settings\Joan\Application Data\Microsoft\Word\~WRL3633.tmp
C:\Documents and Settings\Joan\My Documents\~WRL2596.tmp

Finished

BootLot:

SDFix: Version 1.79

Run by Joan - Thu 26/04/2007 - 21:48:14.23

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE
NDnet1
Runtime

ImagePath:
\??\C:\WINDOWS\system32\main.sys
\??\C:\WINDOWS\system32\ksys.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys

EXAMPLE - Deleted
NDnet1 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\as.txt - Deleted
C:\WINDOWS\system32\2_exception.nls - Deleted
C:\WINDOWS\system32\ksys.sys - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Messenger\\msmsgs.exe "= "C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"C:\\StubInstaller.exe "= "C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer "
"C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe "= "C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe:*:Enabledatcher MFC ?? ???? "
"C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe "= "C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe:*:Enabledatcher MFC ?? ???? "
"C:\\Program Files\\LimeWire\\LimeWire.exe "= "C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire "
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "= "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home "
"C:\\Program Files\\Valve\\hl.exe "= "C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher "
"C:\\Program Files\\Hamachi\\hamachi.exe "= "C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client "


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Joan\Application Data\Microsoft\Word\~WRL0606.tmp
C:\Documents and Settings\Joan\Application Data\Microsoft\Word\~WRL2080.tmp
C:\Documents and Settings\Joan\Application Data\Microsoft\Word\~WRL3633.tmp
C:\Documents and Settings\Joan\My Documents\~WRL2596.tmp

Finished

 

Sorry, couldnt fit everything in one post

Heres the HJT:
Logfile of HijackThis v1.99.1
Scan saved at 10:12:59 PM, on 26/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

 

Hi,

SDFix did quite well. How is the system running? Looks like it did leave one active driver though.
I would like to double check a couple things...

Please locate this file c:\Windows\ntbtlog.txt

and upload it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

it will be too big to post here because it will have recorded a few reboots by now.
Please leave link to this thread at your upload so I know who's log it belongs to.

Next:

Click start> run> type gmer.exe and hit enter.
If you get warning at gmer start about possible rootkit activity click "yes" to scan.
If no warning stay on the rootkit tab and click "scan "
Wait till scan is done.
once finished, press "copy ", open notepad, and press "ctrl + v" to paste log.

Post it here please.

Thanks

 

The system is running fine

I uploaded the boot log to bleeping computer and heres the gmer log:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-29 22:56:39
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!LoadResource 7C80A065 7 Bytes JMP 27001B60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!FindResourceExW 7C80AB10 7 Bytes JMP 27001AD0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!FindResourceW 7C80BA56 7 Bytes JMP 27001A50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!SizeofResource 7C80BAF1 7 Bytes JMP 27001C10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!LockResource 7C80C6CF 2 Bytes JMP 27001CC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!LockResource + 3 7C80C6D2 2 Bytes [ 7F, AA ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!CreateEventA 7C81E4BD 5 Bytes JMP 27001830 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ADVAPI32.dll!CryptDeriveKey 77DEA685 7 Bytes JMP 27001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ADVAPI32.dll!CryptDecrypt 77DEA7B1 2 Bytes JMP 27001050 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ADVAPI32.dll!CryptDecrypt + 3 77DEA7B4 4 Bytes [ 21, AF, CC, CC ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!PeekMessageW 77D49278 5 Bytes JMP 270037A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 270032B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!SetWindowRgn 77D51DE0 7 Bytes JMP 27004AF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!CreateDialogParamW 77D6629F 5 Bytes JMP 27004B90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!SetWindowPlacement 77D6FBEA 1 Byte [ E9 ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!SetWindowPlacement + 2 77D6FBEC 3 Bytes [ 4E, 29, AF ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 27004CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!TrackPopupMenuEx 77D9CAFE 5 Bytes JMP 27003F70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!send 71AB428A 5 Bytes JMP 27008B80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 27008970 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!recv 71AB615A 5 Bytes JMP 270087E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 27008D00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 27008F10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] SHELL32.dll!Shell_NotifyIconW 7CA37CE1 5 Bytes JMP 27002B00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ole32.dll!CoInitializeEx 774F42F3 5 Bytes JMP 27001D20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ole32.dll!CoRegisterClassObject 77541BFC 5 Bytes JMP 27001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WININET.dll!HttpOpenRequestA 771C36DD 5 Bytes JMP 27007760 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 27007A40 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 27007990 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WININET.dll!InternetReadFile 771C811C 5 Bytes JMP 270078C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll

---- Files - GMER 1.0.12 ----

ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0004265.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0005265.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0006265.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007265.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP24\A0007277.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007373.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007405.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007428.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007441.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP26\A0007470.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP27\A0007484.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP27\A0007501.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP28\A0007594.dll:fork2
ADS C:\System Volume Information\_restore{D9BDAFC4-7906-4D92-840A-686445872437}\RP28\A0008594.dll:fork2

---- EOF - GMER 1.0.12 ----

 

Hi,

thanks for the logs.

Gmer log still looks kinda odd to me although I don't see any nasty drivers loading in the last few boots in your bootlog I would like to check a few things.

Can you upload me a copy of this file:

C:\WINDOWS\system32\DRIVERS\update.sys

To this site please:

http://www.bleepingcomputer.com/submit-malware.php?channel=20

Leave link to this thread so I know who file belongs to.
It is a legit file but I am unsure why it should even show up in gmer.

Copy the following text to a new notepad file.
Save as file name peek.bat
As file types: All files
Save it to the desktop.

Code:

cd c:\
if exist peek.txt del peek.txt
dir /s EXAMPLE.SYS >peek.txt
dir /s Runtime.SYS >>peek.txt
reg query hklm\system\currentcontrolset\services\runtime >>peek.txt

Then....

Boot to Safe mode
Start Hijackthis
Click "open misc tools options "
Checkmark both the (full) (complete) options beside "generate startuplist log" and generate the log.
Log will be located in same folder as your hijackthis called startuplist.txt. I will need this later.

Next click "ADSSpy "
UNcheck "quickscan "
Click "scan "
When scan is done save the log.

Next run the peek.bat you saved earlier.
Log called peek.txt will be in c:\
I will need this later.

Boot back up to normal mode.

Post both the ADSspy log and the startuplist log and contents of c:\peek.txt

Also let me know if you got the "update.sys" uploaded OK.

Thanks