Search Engine Redirect Issue 3

[missymarie1014]

This is Windows XP Pro SP3 with Internet Explorer 7. I have a search engine redirect problem which has some very interesting characteristics. First, this problem occurs across all search providers, google, bing, live, etc. Second, it is not user specific. Regardless of the log in name the action occurs consistently. Third, the action is that after you do the search and receive the search results, when you click on the result you are redirected to a solicitation or information page that is somewhat related to the subject matter of your search results. If you click back and go back to the search results and choose the same result a second time, it comes up correctly. And this aspect of the problem where a second and any subsequent click of the result brings up the correct site is consistent across all the search engines. I have run thorough scans using Spyware Terminator, AdAware, MalWareBytes, and Avast. The malware, adware, and spyware scans caught various relatively minor things, but my system still has the issue. My hosts file is unchanged and there is no Internet Explorer Search Page key in the Registry. Additionally, I am evaluating the Non Plug and Play Devices area from the Device Manager to see if anything there might be amiss. Any help would be greatly appreciated.

 

[smah]

I have a wild shot-in-the-dark guess. Try this test. Make a copy of your userint.dll (from the windows\system32 folder) and name it test.dll. Be very careful that you are making a copy, not moving it or renaming it because doing so will render your system inoperable. Now scan again with Malwarebytes Antimalware and see if it has any issues with this copied file.

 

[missymarie1014]

That file does not exist on my system, nor do any of these close matches.... usrint.dll, userinit.dll, usrinit.dll

 

[pechenegs]

Download hijack this from the link below.Please do this. Click here:

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?hhTest=1

to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[missymarie1014]

Here is the log file....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:44 PM, on 2/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1258650454421

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heritage.local
O17 - HKLM\Software\..\Telephony: DomainName = heritage.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4827466B-3510-4DE9-93E6-A47FF92C1C54}: NameServer = 192.168.0.150,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heritage.local
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 4917 bytes

 

[pechenegs]

For these fixes to work you'll need to disable spyware terminator's real time shields, Avasts and Lavasoft's! After you've run the fixes re-enable them as the shields can block the fixes!


* Click here to download ATF Cleaner by Atribune and save it to your
desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
* Click Exit on the Main menu to close the program.




NOTE: If you have downloaded ComboFix previously please delete that
version and download it again!


Please visit this webpage for instructions for downloading and running
ComboFix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Click here for info on how to boot to safe mode if you don't already know
how.

http://support.microsoft.com/kb/315222

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before clicking FIX.

O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe


Then reboot to normal mode and run Dr web.



* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is
found,
click the yes button when it asks you if you want to cure it. This is only a
short scan.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
* Back at the main window, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the
files found: IPB Image
* If so, click it and then click the next icon right below and select Move
incurable as you'll see in next image:
IPB Image
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose
save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will
be moved/deleted during reboot.




Post a new hijack this, the combo log, the dr web scan log and the log!




Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[pechenegs]

There are many other threads which say this file is for monitoring a Nvidia graphics card for over clocking so don't remove it!



This file -----> C:\WINDOWS\system32\winsys2.exe

If you do remove it you can reinstall it from hijack this
backup utility or reinstall the file from cd! However it may be a baddie.

go here and upload it and get it checked out!


C:\WINDOWS\system32\winsys2.exe

http://www.virustotal.com/en/indexf.html

See this thread below.

http://forum-en.msi.com/index.php?topic=107149.msg792532

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[smah]

My post should have been for userinit.exe (bad typing for the name and bad memory for the extension)

 

[pechenegs]

Your version of Avast is out of date you should update to version five!

http://www.avast.com/free-antivirus-download

you should also get a free firewall, pctools is currently a good free one!

http://www.pctools.com/firewall/

Also download and run these two tools!

Please download
SmitfraudFix
(by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.



Next, please reboot your computer in Safe Mode by doing the following
:

• Restart your computer
• After hearing your computer beep once during startup, but before the
  Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and
double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter"
to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the
registry?"; answer "Yes" by typing Y and press "Enter" in order to
remove the Desktop background and clean registry keys associated with the
infection.

The tool will now check if wininet.dll is infected. You may be
prompted to replace the infected file (if found); answer "Yes" by typing
Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process;
please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at
C:\rapport.txt




Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure
"Run fixit" is checked and click Finish. The fix will begin; follow the
prompts. You will be asked to reboot your computer; please do so. Your
system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will
launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt,
along with a new Hijack This log.


post the smitfraud and the fixwareout logs!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[missymarie1014]

SMAH:

I do have userinit.exe in windows\system32 and in windows\system32\dllcache.

 

[missymarie1014]

FixWareout.exe is not loading successfully from either of these sites. The subratam.org doesn't even load at all. The file is not listed on bleepingcomputer's site either.

 

[pechenegs]

ok, run the other fixes and skip that one, post all the requested logs!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[missymarie1014]

I have run the ATF Cleaner with no issues.

I have just run Combo Fix and the log file is below. I will await further instructions before proceeding. The next step would be the Hijack fix of winsys2.exe under safe mode. Please note that I do have an NVideo video adapter. Please advise how you would like me to proceed. Thanks!

ComboFix 10-03-01.04 - Administrator 03/02/2010 10:59:19.1.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2963 [GMT -5:00]
Running from: c:\documents and settings\Administrator.HERITAGE\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100302-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-583907252-1659004503-1177238915-500
c:\windows\system32\MSIMRT.DLL
c:\windows\system32\MSIMRT32.DLL
c:\windows\system32\MSIMUSIC.DLL

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 14:00 . 2010-03-02 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-02-26 23:06 . 2010-02-26 23:06 -------- d-----w- c:\program files\Trend Micro
2010-02-25 23:43 . 2010-02-25 22:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-25 22:54 . 2010-02-25 22:54 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-02-25 22:54 . 2010-02-25 22:54 961984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-25 22:54 . 2010-02-25 22:54 835312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-25 22:54 . 2010-02-25 22:54 842992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-25 22:54 . 2010-02-25 22:54 1593320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-25 22:54 . 2010-02-25 22:54 815184 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-25 22:54 . 2010-02-25 22:54 1229232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-25 22:53 . 2010-02-25 22:53 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-25 22:53 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-25 22:53 . 2010-02-25 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-25 22:53 . 2010-02-25 22:53 -------- d-----w- c:\program files\Lavasoft
2010-02-23 22:03 . 2010-02-23 22:03 -------- d-----w- c:\documents and settings\Administrator.HERITAGE\Application Data\Malwarebytes
2010-02-23 22:03 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 22:03 . 2010-02-23 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-23 22:03 . 2010-02-23 22:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 22:03 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 20:28 . 2010-02-23 20:43 -------- d-----w- C:\Feb2010
2010-02-22 22:45 . 2010-03-02 14:34 -------- d-----w- c:\documents and settings\Administrator.HERITAGE\Application Data\Spyware Terminator
2010-02-22 22:45 . 2010-02-26 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2010-02-22 22:45 . 2010-02-22 22:45 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2010-02-22 22:45 . 2010-02-22 22:45 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2010-02-22 22:45 . 2010-02-22 22:45 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-02-22 22:44 . 2010-03-02 14:34 -------- d-----w- c:\program files\Spyware Terminator
2010-02-22 21:00 . 2010-02-22 21:00 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-22 20:27 . 2010-02-22 20:27 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-15 22:09 . 2010-02-15 22:09 -------- d-----w- c:\program files\Citrix
2010-02-15 22:09 . 2010-02-15 22:09 60744 ----a-w- c:\documents and settings\Administrator.HERITAGE\g2mdlhlpx.exe
2010-02-12 14:51 . 2007-06-19 17:57 229888 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HP1006S.DLL
2010-02-10 22:44 . 2010-02-10 22:44 -------- d-----w- c:\program files\Microsoft.NET
2010-02-10 22:43 . 2010-02-10 22:43 -------- d-----w- c:\program files\MSXML 6.0
2010-02-10 22:43 . 2010-02-10 22:45 -------- d-----w- c:\program files\Microsoft SQL Server
2010-02-10 22:41 . 2010-02-10 22:45 -------- d-----w- C:\Response
2010-02-10 22:25 . 2009-03-31 17:24 745472 ----a-w- c:\windows\system32\TAPIExCt.dll
2010-02-10 22:25 . 2006-01-07 14:56 143360 ----a-w- c:\windows\system32\SpectrumView.dll
2010-02-10 22:25 . 2010-02-10 22:25 -------- d-----w- c:\program files\Common Files\software fx shared
2010-02-10 22:24 . 2010-02-10 22:24 -------- d-----w- c:\program files\CoLinear
2010-02-10 22:22 . 2010-02-10 22:22 -------- d-----w- C:\response10_demo
2010-02-10 22:22 . 2010-02-10 22:05 107513175 ----a-w- C:\response10_demo.zip
2010-02-01 15:56 . 2006-12-14 15:00 110592 ----a-w- c:\documents and settings\Administrator.HERITAGE\Application Data\U3\temp\cleanup.exe
2010-02-01 15:56 . 2010-02-01 15:56 -------- d-----w- C:\LightPics
2010-02-01 15:55 . 2007-02-12 22:46 3096576 ---ha-w- c:\documents and settings\Administrator.HERITAGE\Application Data\U3\temp\Launchpad Removal.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 20:22 . 2009-12-07 19:03 161 ----a-w- c:\windows\daa.bat
2010-02-10 22:24 . 2009-10-22 15:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-10 22:23 . 2009-12-01 20:07 20736 ----a-w- c:\documents and settings\Administrator.HERITAGE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-04 15:53 . 2010-02-25 22:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-01 15:56 . 2009-12-24 20:48 -------- d-----w- c:\documents and settings\Administrator.HERITAGE\Application Data\U3
2010-01-05 10:00 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-07 20:29 . 2009-12-07 19:09 165 ----a-w- c:\windows\mmm.bat
2009-12-02 20:56 . 2009-10-21 21:05 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]
"WinSys2"="c:\windows\system32\winsys2.exe" [2008-01-18 208896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-19 149280]
"nwiz"="nwiz.exe" [2009-03-28 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 12:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-04-27 17:08 17881088 ----a-w- c:\windows\RTHDCPL.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/25/2010 5:55 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/19/2009 11:03 AM 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2/22/2010 5:45 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/19/2009 11:03 AM 20560]
R2 MSSQL$RESPONSE;SQL Server (RESPONSE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 8:29 AM 29178224]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [10/22/2009 10:49 AM 159400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/22/2009 10:47 AM 1684736]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1229232]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 22:54]
.
.
------- Supplementary Scan -------
.
TCP: {4827466B-3510-4DE9-93E6-A47FF92C1C54} = 192.168.0.150,192.168.0.100
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net

Rootkit scan 2010-03-02 11:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8A68F8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f14b3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) 82578DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9e1dbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e2aa21
SendHandler -> NDIS.sys @ 0xb9e0887b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2010-03-02 11:02:39
ComboFix-quarantined-files.txt 2010-03-02 16:02

Pre-Run: 383,995,555,840 bytes free
Post-Run: 383,960,973,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 772DA2979139C3308038DDDF8F3078B0

 

[missymarie1014]

Bringing you up to date with the status of things.

First, regarding the NVideo adapter, please note that no overclocking is enabled on this machine if that is the sole purpose of winsys32.exe.

Second, I have run ATF Cleaner and Combo Fix at this point. There were no issues as I went through the documented procedures. The Combo Fix log is in the post above.

Third, waiting to hear back from you on the next step, I decided to safe boot the machine in preparation for the Hijack This fix. The unit will not safe boot successfully at this point. It goes throungh the prompts, I select Safe Mode, then I select Windows XP Pro, it begins to load drivers for about 2 or 3 seconds and then retarts the boot process. It appears that the machine does boot properly in normal mode. I rebooted it and let it come to a login prompt, but I did not login as I did not want it to run the boot process through the Registry and possibly affect the work done to this point. I just shut down at the login prompt and again attempted a Safe boot with the same results. Please advise. Thanks!

 

[DTracy]

If you haven't done so already, backup you data. You can always scan your backup and clean as needed.

I would suggest finding or creating a BART PE bootable disk and while running from BART, do a chkdsk c:/r to isolate the boot problem in safe mode.

I see you have or had a rootkit. Download MER and use it carefully to remove that problem.

Say what happens next.

Best Regards,
David.

 

[kjv1611]

Download MER and use it carefully to remove that problem.

I think he meant GMER:

http://www.gmer.net/

(their site, with most info)

Can also be downloaded here:

http://download.cnet.com/GMER/3000-8022_4-10720107.html

--

"If to err is human, then I must be some kind of human!" -Me

 

[DTracy]

Thanks KJ, that's what I meant.

David.

 

[pechenegs]

just run dr web and smitfraud and post their logs, then run a full sweep with malwarebytes and superantispyware, remember to disable adwatch and spyware terminator as they'll interfere with the fixes!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[missymarie1014]

Well, I can report that the redirect symptoms associated with the malware/virus resident on my machine have been corrected. Dr Web CureIt identified 2 infected instances of atapi.sys and cured them upon reboot. Clearly, this damaged driver is also the reason for the machine's failure to boot successfully in Safe Mode. Safe Mode now functions properly. The DrWeb log is quite long (40,000 lines). Shall I post all of that? Here is the SmitFraudFix log.....

SmitFraudFix v2.424

Scan done at 16:21:31.81, Wed 03/03/2010
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4827466B-3510-4DE9-93E6-A47FF92C1C54}: NameServer=192.168.0.150,192.168.0.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4827466B-3510-4DE9-93E6-A47FF92C1C54}: NameServer=192.168.0.150,192.168.0.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4827466B-3510-4DE9-93E6-A47FF92C1C54}: NameServer=192.168.0.150,192.168.0.100


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Please advise next step. Machine seems to be functioning normally. Thanks!

 

[missymarie1014]

I will also proceed to run MalwareBytes and SuperAntiSpyWare and report back. See above post for current status. Thanks!