-
Yet another Google/Yahoo search redirect
Whenever I try to search for something, when I click on results, it runs it through "excellentsearchserver.com." Whatever it is, it has also shut down Microsoft Security Essentials. When I try to get it started, it gives me an error code and says it cannot start. Windows Firewall has also started flagging all sorts of stuff. I read the "before you post" thread, and here are my DDS and Spybot logs. Thanks in advance for the assistance. I have absolutely no clue how I got this, whatever it is.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Owner at 20:19:35 on 2011-09-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.870 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\2156546587:3837097343.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Auction Sentry\AuctionSentry.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Auction Sentry\AuctionSentry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [SpybotDeletingB1453] command.com /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD7749] cmd.exe /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB916] command.com /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD6728] cmd.exe /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB5224] command.com /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD5350] cmd.exe /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB946] command.com /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD9358] cmd.exe /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB6286] command.com /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD4652] cmd.exe /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB6738] command.com /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD181] cmd.exe /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB6267] command.com /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD306] cmd.exe /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingB7139] command.com /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
uRunOnce: [SpybotDeletingD2241] cmd.exe /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [SpybotDeletingA5763] command.com /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingC9290] cmd.exe /c del "c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingA2169] command.com /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingC3365] cmd.exe /c del "c:\documents and settings\localservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingA6262] command.com /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingC7076] cmd.exe /c del "c:\documents and settings\networkservice\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingA5425] command.com /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
mRunOnce: [SpybotDeletingC3206] cmd.exe /c del "c:\documents and settings\owner\local settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\auctio~2.lnk - c:\program files\auction sentry\AuctionSentry.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BF35280A-299A-4AED-8A2B-34E08AD607E0} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\w0zq0ap0.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Beef Taco (Targeted Advertising Cookie Opt-Out): - %profile%\extensions\john@velvetcache.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]
R1 MpKsl3562c781;MpKsl3562c781;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d73f0047-84b3-4c69-a035-dfb06c68f28d}\MpKsl3562c781.sys [2011-9-6 28752]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-8-29 876288]
RUnknown 12726213;12726213; [x]
RUnknown 2540268drv;2540268drv; [x]
RUnknown 44758743;44758743; [x]
S1 MpKsl22226c78;MpKsl22226c78;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193e237e-a64b-496b-850d-f4554c7a116b}\mpksl22226c78.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193e237e-a64b-496b-850d-f4554c7a116b}\MpKsl22226c78.sys [?]
S1 MpKsl3d641bee;MpKsl3d641bee;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b459db97-b8b8-4aac-9462-c49cb9e72f8e}\mpksl3d641bee.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b459db97-b8b8-4aac-9462-c49cb9e72f8e}\MpKsl3d641bee.sys [?]
S1 MpKsl68b0bf29;MpKsl68b0bf29;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{58748ece-7e4f-4b0a-91b7-8d9be2025a58}\mpksl68b0bf29.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{58748ece-7e4f-4b0a-91b7-8d9be2025a58}\MpKsl68b0bf29.sys [?]
S1 MpKsl69d2afe1;MpKsl69d2afe1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ac9aee1-5d28-4142-a004-5d250ee3c4ce}\mpksl69d2afe1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ac9aee1-5d28-4142-a004-5d250ee3c4ce}\MpKsl69d2afe1.sys [?]
S1 MpKsl7313c79e;MpKsl7313c79e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ce840b-4a02-4d7c-9af0-c3e331fc602e}\mpksl7313c79e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ce840b-4a02-4d7c-9af0-c3e331fc602e}\MpKsl7313c79e.sys [?]
S1 MpKsl823ebdca;MpKsl823ebdca;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{11e5b5f5-7888-4145-b901-c565f5cca65d}\mpksl823ebdca.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{11e5b5f5-7888-4145-b901-c565f5cca65d}\MpKsl823ebdca.sys [?]
S1 MpKsl8cd45f5f;MpKsl8cd45f5f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193e237e-a64b-496b-850d-f4554c7a116b}\mpksl8cd45f5f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193e237e-a64b-496b-850d-f4554c7a116b}\MpKsl8cd45f5f.sys [?]
S1 MpKsl999a55f6;MpKsl999a55f6;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{463db425-8dfd-4bfc-ab80-adaa78c8ef6f}\mpksl999a55f6.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{463db425-8dfd-4bfc-ab80-adaa78c8ef6f}\MpKsl999a55f6.sys [?]
S1 MpKslbc9abae4;MpKslbc9abae4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e9079ac-8e4e-45d6-b974-7173776979ae}\mpkslbc9abae4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e9079ac-8e4e-45d6-b974-7173776979ae}\MpKslbc9abae4.sys [?]
S1 MpKslbe29ffa4;MpKslbe29ffa4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2f2874cf-83dc-42f8-b7ad-c7bdaa9fa790}\mpkslbe29ffa4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2f2874cf-83dc-42f8-b7ad-c7bdaa9fa790}\MpKslbe29ffa4.sys [?]
S1 MpKslf3d7030f;MpKslf3d7030f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a05109c1-3d74-4558-85c9-1fbf5fc92b61}\mpkslf3d7030f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a05109c1-3d74-4558-85c9-1fbf5fc92b61}\MpKslf3d7030f.sys [?]
S1 MpKslf62857d4;MpKslf62857d4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eacab5fd-ad09-4d62-944d-8b3f8039c64f}\mpkslf62857d4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eacab5fd-ad09-4d62-944d-8b3f8039c64f}\MpKslf62857d4.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-07 00:41:01 -------- d-----w- c:\documents and settings\owner\local settings\application data\PCHealth
2011-09-06 12:50:14 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d73f0047-84b3-4c69-a035-dfb06c68f28d}\MpKsl3562c781.sys
2011-09-05 13:36:32 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d73f0047-84b3-4c69-a035-dfb06c68f28d}\mpengine.dll
2011-09-04 03:25:28 -------- d-----w- c:\program files\iPod
2011-09-04 03:25:11 -------- d-----w- c:\program files\iTunes
2011-08-17 04:45:44 -------- d-----w- c:\windows\Logs
2011-08-17 04:01:02 -------- d-----w- c:\program files\common files\Steam
2011-08-17 04:00:59 -------- d-----w- c:\program files\Steam
2011-08-10 12:36:27 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 12:36:15 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 00:05:08 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
.
==================== Find3M ====================
.
2011-08-25 10:37:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 16:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 16:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-11 02:41:28 1080 ----a-w- c:\windows\AUTOLNCH.REG
.
============= FINISH: 20:19:53.37 ===============
Spybot Search and Destroy results:
Win32.AVKillsvc.e: [SBI $ACD9F3FA] Data (File, fixed)
C:\WINDOWS\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
Properties.size=3596
Properties.md5=5E7AC8D7611B66FD0B378E85EF175715
Properties.filedate=1315355918
Properties.filedatetext=2011-09-06 19:38:38
Win32.AVKillsvc.e: [SBI $A106152C] Data (File, fixed)
C:\Documents and Settings\LocalService\Local Settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
Properties.size=3596
Properties.md5=5E7AC8D7611B66FD0B378E85EF175715
Properties.filedate=1315355926
Properties.filedatetext=2011-09-06 19:38:45
Win32.AVKillsvc.e: [SBI $A106152C] Data (File, fixed)
C:\Documents and Settings\NetworkService\Local Settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
Properties.size=3596
Properties.md5=5E7AC8D7611B66FD0B378E85EF175715
Properties.filedate=1315355926
Properties.filedatetext=2011-09-06 19:38:46
Win32.AVKillsvc.e: [SBI $A106152C] Data (File, fixed)
C:\Documents and Settings\Owner\Local Settings\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
Properties.size=3596
Properties.md5=5E7AC8D7611B66FD0B378E85EF175715
Properties.filedate=1315355925
Properties.filedatetext=2011-09-06 19:38:44
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-09-06 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-08-29 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-08-31 Includes\Malware.sbi (*)
2011-08-30 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-05-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-06-14 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-06-20 Includes\Trojans.sbi (*)
2011-08-29 Includes\TrojansC-02.sbi (*)
2011-08-09 Includes\TrojansC-03.sbi (*)
2011-08-30 Includes\TrojansC-04.sbi (*)
2011-08-29 Includes\TrojansC-05.sbi (*)
2011-08-23 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Well, now my computer won't go past a startup screen, whether or not I restart in safe mode. It just gets stuck there and won't go any further. I'm using my old computer right now.
Last edited by tashi; 2011-09-09 at 02:36.
Reason: Merged two posts as helpers look for topics with zero response :-)
-
Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Your infected with the Zero Access Rootkit
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
-
Currently my computer will not start up past the Windows loading screen, whether or not I restart in safe mode.
-
Try the LAST KNOWN GOOD CONFIGURATION
To Access Last Known Good
- Go to Start> Shut off your Computer> Restart
- Or if the computer is off press the power button
- As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu. - Use the Up and Down Arrow Keys to scroll up to Last Known Good
- Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
-
When I load in the Last Known Good configuration, it just loads the Windows XP screen, then goes to a black screen with the mouse pointer on it, and doesn't go faster than that. If I load in Safe Mode it does the same thing. I can't get it past that screen.
-
Well, the ZERO Access Rootkit is a very serious infection, its capable of all sorts of things from stealing passwords and bank account numbers and the list goes on, the best thing to do is to format and reinstall windows then you guaranteed of a nice safe and reliable computer.
If you have not done so already you need to access a known clean computer and go online and change all your passwords for any banking or online shopping sites you may use.
Do you have your windows CD or the Recovery CD that came with your system ?
-
I have a Windows Recovery Disk. Is there any way to do things without losing all the files on that computer?
-
Well, possibly , but not sure how serious windows is damaged. I have been at this for many years and I cant stress enough to my friends and people that I work with to back up there data on a regular basis, and its not rocket science, a $30 usb thumb drive would save it all, but people just dont seem to have the time to do this, they always wait until its to late and disaster has struck.
I would like you to post here at this windows forum, there more in tune to helping you with your problem, you can link them to this thread so they can see what we have done and make them aware of the rootkit infection.
http://forums.whatthetech.com/index.php?showforum=119
Good luck,
Ken
-
I have posted on that forum. A friend of mine suggested a SATA to USB adaptor to pull data off the hard drive. Once I do that, if I format and reinstall, then is the rootkit gone?
-
Most likely, as long as you do a complete format and re install of windows , not just a windows repair. This rootkit is fairly new so we are not sure right now of all its capable of, what I would do is after you pull your data and do a re-install, come back to this forum and post a new DDS log for me to look at. Threads are closed after 3 days of no replies but I will hold this one open for you, if in the event its closed you can PM me or a moderator ( TASHI ) to reopen it for you.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules