iexplore self running, and google redirects on all browsers

Question

Vrank92 0 Newbie Poster

12 Years Ago

Ok, I seem to have quite a pickle here. About a week ago I started getting google redirects. I have done quite a bit of troubleshooting since, and this is everything I know:

-Google redirects on all browsers (firefox, IE, and Chrome- which I installed after the trouble started in the hope it would somehow avoid the issue)

-iexplore will open itself (with no visible windows) at one point playing music, but always eating RAM and CPU space

-I turned off System Restore

-I installed Norton 360 since the trouble started (had an extra seat) I've scanned with it (full scans both files and processes), malware-bytes, Trend-Micro Housecall, Spybot S&D, and SuperAntispyware. I've found a few things, but all have had at least one clear scan.

I had a few issues running the logs asked for:
-GMER had an error popup before running that said: LoadDriver(“C:\DOCUME~1\amy)LOCALS~1\Temp\pwyapog.sys”) error 0xC000010E: Cannot Create a stable subkey under a volatile parent key.

Only available checkmarks: Serivices, Registry, Files

I ran the scan with that for the logs I'll post

-DDS only runs as gabage in notepad (says its an autocad script)

Here are all my new logs:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8253

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/2/2011 8:34:09 PM
mbam-log-2011-12-02 (20-34-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 383968
Time elapsed: 2 hour(s), 8 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

explorer redirect virus windows-virus

2 Contributors
23 Replies
282 Views
4 Days Discussion Span
Latest Post 12 Years Ago Latest Post by Vrank92

All 23 Replies

jholland1964 650 Posting Expert

12 Years Ago

Not sure what exactly you mean when you say
"DDS only runs as garbage in notepad"
Do you mean the log won't show correctly? Or the program itself won't run correctly?

You have SpyBot TeaTimer running, it will stop any fixes attempted, please turn it off and leave it off following these instructions:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

You also have SUPERAntispyware running all the time, turn it off also.

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Edited 12 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

12 Years Ago

please download this file: xp_scr_fix.

Unpack the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say yes.

You should then be able to run DDS.scr.

jholland1964 650 Posting Expert

12 Years Ago

Instructions for TDSSKiller are very clear:
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
There is no mention of "from a unique folder or with a new name"...where did you get those instructions?

Edited 12 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

12 Years Ago

That info from SpyBot likely means that SpyBot TeaTimer is stopping changes being made to the registry by the antivirus program...it is not letting it fix what it should fix.It will also stop other fixes attempted also. Turn off TeaTimer and leave it off.
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
Have you attempted any of these scans in Safe Mode?

jholland1964 650 Posting Expert

12 Years Ago

If you have spybot fix that then anything the av program tries to fix will be over ridden. Leave it alone

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Vrank92 0 Newbie Poster · Answer 1 · 2011-12-03T22:23:43+00:00

GMER Log 1 was blank.

GMER 2:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-02 18:22:43
Windows 5.1.2600 Service Pack 3
Running: pd6obq7b.exe; Driver: C:\DOCUME~1\amy\LOCALS~1\Temp\pwryapog.sys

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB61590$\349758542 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\bckfg.tmp 995 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\L 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\L\qllsmjpa 456320 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000001.$ 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000002.$ 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\80000032.$ 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\80000032.@ 96256 bytes
File C:\WINDOWS\$NtUninstallKB61590$\920543175 0 bytes

---- EOF - GMER 1.0.15 ----

Vrank92 0 Newbie Poster · Answer 2 · 2011-12-03T22:25:40+00:00

Here's my HijackThis report:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:34:18 AM, on 12/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Documents and Settings\amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\5.1.0.29\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.1.0.29\coIEPlg.dll
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\amy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 13497 bytes

Vrank92 0 Newbie Poster · Answer 3 · 2011-12-04T08:38:46+00:00

I turned off tea timer, and after reboot will run the scan and report in.

In terms of the DDS scan, when I click it, instead of running in command line, I get a "do you want to run this" box, hit yes, it opens a notepad window that is blank for a bit, then fills with text, much of which is non-alpha-numeric.  It never seems to run as a program.

"MZ       ÿÿ  ¸       @                                   Ø   º ´ Í!¸LÍ!This program cannot be run in DOS mode.

$       1¸„:uÙêiuÙêiuÙêi¶ÖµiwÙêiuÙëiîÙêi¶Ö·idÙêi!úÚiÙêi²ßìitÙêiRichuÙêi                        PE  L ÆãK        à   P        0ó  °      @                         í      €                           `      `                                                                                                          UPX0                             €  àUPX1     P   °  F                 @  à.rsrc             J              @  À                                                                                                                                                                                                                                                                                                                                                                                                                   3.07 UPX!
    •»    $Ð˜…‚Û 'C   „  & "ÿ÷ÿU‹ìƒì\ƒ}t+F‹Eu
ƒH‹
¨>Bÿ¿lÿ ‰HPÿuÿHr@ é uSÝŒ}÷V‹5°E¤WPLƒeôíæl»1EäP‹}ð¿ý±·ðDp; ï¶FRVV¯Uuÿ¿ýè‹Ï+MèÁÂ‰M™÷ÿ3ÒŠðQùÛÍNUMèÁ‹Ê1T»vé>ŠÈPE3Áá×m··ÀÈsôPBø¢p‡™åìrEðPˆTßÞ¾½ÿÓè9}qŒwÿ ƒ~Xÿºûteÿv4½5…À3tnÛ¶/jWÇ:« èî"ÝÍ¹*Ê )XWKpÛg›ÛÿXÖðh -P¹gWøjÿh 6%Xr¿9Yˆw¤\_^3À[ÉÛßð·Â_‹L$¡ÈF‹ÑSiÒAVûÝÿÿW‹TöÂtOq3ÿ;5ÌsB‹ÎiÉ¼}YþD‹ÁGët  Ûÿö/BO…Ét ë
u‹Ù3Úƒã9Ù´Û³÷‰F1ArÊt[Â…wÃ7îQQ‹U¿òiö˜{ÃÂ€3ÉóW?üB‹F¨^~ìö9Mt$¾B‰;„D‹ÂiÀ°ðýG|B‹‡
,RÛËö÷#ëu(›@ÿEüµwÍtëø;A‹Ðr¼ùÛ7
Íˆû,lü tóø·ù/ƒN@ëç‹€áƒÉ‰ëÙ?ö?    V3öƒù s49Èv,Pö¿ð$¨uGÓç…züt~^°ÿ$þ‰FÂóÙò[Ù?á¡seùZám†”ØB=#¼ïð+üß3Û9tK;ßsEÕrƒÆ5¶°d„b(ýpÛ <˜¦‹¾@ƒâÓàì…w¿«ü#È‹ÁÓâ;ÂvCÆxw[w{ßrÆt
÷ƒVã rŸßÚîmCüóŠ‹DÓN}@¹ÁmøÛ @eÁà
+ÈQ;JÙq³ôvt$öj‹ÆxÐkÀtÜ]¸øƒ8C\P!0=¯ÿökœiCu@FëH‹£ãÛÛð+&|$ž/Œ{jv7ž{w5th0u 
u0q³±u/Ph¡ÿe…DÞ¯a{…ö}’Î^Š¸[ëõ»ïîÐ|'Ctlj…™hpŸ°sŽŸË? Qì¤o8^MÊ¡"JØWjc»°ðY}ØNÌKó¥ñÜcÿûmàš‹úÁæ
ë‰]üÁç
ñùMû…ïúÜ‰
h›MØƒÁþÚA‡˜ý×·½$(Sá?(
ÿlÌlÛß½9]Ì„c
!SÇø¶9vBH-…’9Öðw_‡S
Õƒø±P8³-½×ˆ|„ÌFüÜ¿-¼
‚^äu"‹ˆ ?ö·s7yˆ`<‹§-k±±)‹Ö{/ó4…a‹;Ë”À#¬¾Ç¶…C…6ÿ4•VÃ†[ø/WpÊ]`xl†Ö7+tRQ%„ÇœëÎ<„ÿ>[jð=V·}‚ò«àº„š…ÝØ=ÈÎ!X‹øWFéþ—ï_f;ótBj\V
€SWŠˆˆEc³Ù:€u  |=·÷j5Û†ªW
x¨,ø…{¦Š'ˆF:Ãu¾àtjæBw„ÿmWh ˜Kb.t<>Äîjõ`SnN]ŸµcovjÐjß}‹ø»E¶#WV„pòjã<1×Íoíâê?Ø¿fk
ÔWH°jäaniM~P‹·¥o:éHl#“;Æv%8²cþ³!C;ÃtƒÀ,`²ëVþvÛ    ÇØìˆm…£D#6I7WÌhÿdÈBÇ{QVzSmdÍ>9o,jïíŸhü
ÁÞ¢j1žÁƒàV‰uø³cÿkøzFÂV¾p›¥VŠ‘ÞY„IP"ÂÙwðßK~MÄ¿p£}|1Ê¸m]‡Ì“èÏQw7·iü`‹Èñý
Ñ€#ÁÆÞ\ã÷ØÒoÚu•ÖuÜ5C•êh$@íÛ´19þÿuv(S†ˆÅF–@WV
-ùEZ1ðÝ„WPâÃÞØÁøPD#ƒ6·/Ðµ§S'HVjúé<ŽlúN/øjâsÁ±¤‹|ƒ´(êóîÓfTSSzuäÿ
ÖÖ·6èÿ(Äì^‘
îÂëèP…¢ßŒ¹¨øì;ûÞ$ƒ~ÌÅþÿþujéV®`~ëjî~¤%ÎhR pSë4
±[¦'ÜPÃYçVjØÂiD;¹Jò´¹…ìè†Wîðw’2Îø1‡'î  ÇzsKx´j!jõ6G0º   ïnÔ·J”}•td*[woh37Áäøˆ;ø~vx¼µ/sÔÇUnoc—»â„û}x,y‰»soC‹ûÿ›ÿˆ7’ÖMN: o1vìIÛÉR‰ððpÐä5±Ù"ôëì)W²äNŠ)KP¸Oøl,6w´Vô?à]
Úy¸Bžÿ m9{KOæoÕð-Ùnÿ;ð|~–ësoèv†''œ,JìÕ¼À7ÄÔøwmè…¥)ÚÞ    ëb+^ÉÏ‹¡-lWäÇÐ–Ûímù/ëJF#B3>Z04Û[îv+ÜuêÉë+    tø/>é
¹ôÕ8   úëE‹ƒÔùë&9Ù½ÓÿWŒ]òP†À¾— °ÄÌ›Ú-p¯}DH‹ßÝ|·Ž?uñ
ÑƒÇ–Þ  #ÜW³¡.•ýî]ÖKVP;Ót%}ú8ù
.GçW£6<dë'…ühj@ÖåpàŽ“ªóF.ÞG¾R„‰‰5÷Æ˜é„T×    ö¸\¬!ÃË„3á    ×¤ëD8•íCÂm!ÿuDŽMðÁù'fjjðUøŠ™kÉ†f™…`¹qÂæ²?Dë,E/ôFƒìŠ‡ÙÉŠöf›5v1Q#Í/-v©
CY&Üh&ßãŒ¦ª‡FPg6Ês(rQTý1àù&ÌN¬%,J¹8’p¡ègîöð&ÛëA0Rq«Â/*.Àiv\5.  j[ m0Û    ÈS¶S 5ë¸™4hr)VÛOfû|P HjZ°f{c\8.@P¥áÂáÐS*’£tž\¥î˜£„  Š ?½ûF¥ÊÆ‹ˆ
ˆ6÷Fî£h‰«çšm¢Š8·B„¦))6ïnèÞ‡lC¶ô`
<S   [\X
jËØ¦
‘8ÈjìÒ¥bpØ–è¨¬îþZ%
S#Æp\Î‹[KŸ!hu
gD pH„VvÇUp~ÃCÂ)T,ä¶øzî8FÓ9øãn‹jÀ½jdÖ=p'[m[tëöø#ôä(¸`b
0J©Å¶Ðø¯€Å$Œ$ìyaÍÞZ±p Öÿs:êŠ±N¢¿‰îÊÐ}Q6ZP…`ík8ø!aß7ØÌœ   jÆˆ4ð5¹“Ô6J4nÐ0‰¼÷N@‰Í÷™DTÿpÙÍÆÜ„ÝÃ|ç&Šq9XÙsÉÜŒ¶U]ÍŽoÑ
©qøÙ[wîjStzOWØ:ß=ketVW8œAÎb1íÄ«+(Ôªh(o=ÌâÄíÖÖáë

vLj÷ÃJòá=ýÊ“¸&Kƒ…
|ìrqö‚jç¡6Ø¼ß²ä,g†CÍl Eø"V¼D‡b!Ãàs–Ü’©@^r„q„åÂ,DÚÛ¶wë¾„ÌRh”‹)ÿÿ²QØLªÿÑ·Æb<.¸$¾ì¾
-¾ÿ!Á¦ÁK-çþÖ:Q‹ÿR<+Ü£lè‹@R4Þ)pµß–³U#Ö>0ÙœÁí”QDôr,~¼}|/¾h“ImoN+&Ð¿€_#—h@3q^Ì=gœÌ
Gp˜ÐÄïœþd>á°[ôëò°©Ih4Ï;nÒáu
Sjù¯ˆ^…¹uœO Wˆ\«u·Ø0   8vf÷â¿-±‘‰¤º¨+¶f‰M¬'hc@7o`q™4BÿŽ,£=
ðt-j€    Å*p‚"«gñ   94é3öÀ¬‰V¸`Õ:8ØÞ    Á†hœtŽÏ
"ØR¦cfWÏ 2Hüv½!N~ B¾hÙVÝ"lÐÓlñúÐ$k÷©¢Vcu+

is just the start of what it shows me. Is there a way to force it to run in command line via dos?

Vrank92 0 Newbie Poster · Answer 4 · 2011-12-04T08:53:13+00:00

I'll get on that file now, thanks. I tried to run TDDSKiller, the first time I try to run it from a unique folder or with a new name, it shows as running is my task list for maybe 4 seconds, then closes. After that, until I rename and/or move, it doesn't even show as running. I'll get you that DDS scan ASAP.

Vrank92 0 Newbie Poster · Answer 5 · 2011-12-04T09:53:44+00:00

I may hav explained myself poorly. I tried to run it, and nothing happened- hour glass for a few seconds, then nothing. I opened task manager, and didn't see it running. Tried to run again, and didn't see it pop up at all. I moved it into the TDSS folder, and tried to run it, and it popped up in task manager for a few seconds, then disappeared, then after that it didn't even pop up. Noticing a trend, I tried renaming it, and the same thing happened, ran for a few seconds, then closed, then nothing.

Since it didn't run as specified, I tried doing some trouble shooting.

Vrank92 0 Newbie Poster · Answer 6 · 2011-12-04T19:19:51+00:00

After 3 attempts, including one over night, I can get DDS running, but after about 4 minutes (#'s get about 3/4 across the screen, the last one is under the "R" in Where (..post these logs to the forums WHERE you were asked to run...), and while my mouse still moves, the system freezes: Clock stops, Alt-CTRL-Del unresponsive, have to hard re-boot.

Also, in looking through old scan logs, SuperAntispyware did find a trojan a few days in:
Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\AMY\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\44\141B5F6C-6FBC4B14

Also, the one thing I haven't "fixed" in Spybot scans is this:
Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
as the googles were telling me that is likely an effect of norton or another antivius software. Should I try fixing that and see what it does? I will run a new scan to let you know exactly what it says in a bit.

Vrank92 0 Newbie Poster · Answer 7 · 2011-12-04T21:33:44+00:00

I turned off teatimer, but no somehow safemode slipped my mind, I'll get on that now!

Should I have spybot fix the override?

Vrank92 0 Newbie Poster · Answer 8 · 2011-12-06T00:33:37+00:00

I left the override alone, tried to run both GMER and DSS in safemode, same results- Limited GMER access with the same error message, DSS didn't freeze the machine, but was unresponsive after getting to the exact same point in the scan (took about 4 mins to get there, didn't move for the next 2 hours).

I saw in S&Ds advanced options that it analyses your running/startup programs, and it had a few yellow (Iffy) and one red (bad) program picked out, although my google searches on the "bad" program had said it was legit. I can log them on here if that'll help, otherwise I think I'll start doing a systematic turn off/reboot one at a time to see if any have an effect.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 9 · 2011-12-06T01:01:16+00:00

You have to stop relying on SpyBot. It is a good scanner but otherwise it is more trouble than it is worth.
Give me the list of programs t says are iffy or bad.
I just checked this on mine and it show only two starting programs on my computer, I know this is NOT the case, I know for certain there are several more than two. One it questions is my anti-virus program, which is an excellent program and certainly not questionable.
In you HJT log I saw some not needed.
DDS should most certainly run in Safe Mode, so something is stopping it from running. Delete the one you have and download a new copy and try it again.Do it Safe Mode only, NOT safe mode with networking.

Vrank92 0 Newbie Poster · Answer 10 · 2011-12-06T04:11:47+00:00

I only mentioned spybot because I happened to notice that in the advanced area, its not normally something I even have on my system, normally its just norton 360 and malware bytes.

Is there another spot to download dds.scn from? I got it from the link in the "things to put in your post" stickied post. I downloaded it again, ran straight safe-mode (Is there a difference I should care about right now between it and safe-mode with command line?), and same scenario- I timed it, 11 mins to the point it drops, then it stops responding. Could it also go back to whatever was making it not run at all before? (When you gave me the file to add to my registry)

Here is the thing Spybot has Red:
SmoothView - C:\Program Files\TOSHBA\TOSHIBA Zooming Utility\SmoothView.exe

Yellow is:
DLA - C:\WINDOWS\System32\DLA\DLACTRLW.EXE
IntelZeroConfig - "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
NDSTray.exe - NDSTray.exe
NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz - nwiz.exe /installquiet
Pinger - c:\toshiba\ivp\ism\pinger.exe /run
SunJavaUpdateShed - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
SynTPEnh - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
SUPERAntiSpyware - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
TOSCDSPD - C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

I was as accurate as possible with Caps and punct, FYI.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 11 · 2011-12-06T04:38:50+00:00

http://www.bleepingcomputer.com/download/anti-virus/dds

Not a single file I see there that is a problem, a may not need to auto start but nothing wrong with any of them that I can see. What one did Spybot say was bad?
Some are there because you have a Toshiba computer, occasionally programs like Spybot will not recognize those.

TOSHIBA Zooming Utility - allows "automatic" zoom feature in some appications, like IE, MS-Office, WMPlayer, Adobe-Reader and also desktop icons. Perfectly fine. Doesn't need to auto start but it is not a bad program.

DLA - C:\WINDOWS\System32\DLA\DLACTRLW.EXE >>Related to Sonic CD/DVD burning applications.

IntelZeroConfig >>>Related to Intel Corp. Zero Config MFC Application, part of Intel's ProSET utilities and installed by the drivers for many of Intel wireless network cards - essential to the proper functioning of many of the Intel ProSET utilities (but not all) and these System Tray ProSET utilities are a must if you are using your wireless connection, if only so you know when the signal is fading or dropping. **

NDSTray.exe>>> Related to ConfigFree Tray on a Toshiba laptop. Tray utility for their network switching application which permits switching network devices and settings with a click on the tray icon. While it is not required, for people who span multiple networks and want an easy way to go from wired to wireless and change addresses and other network settings, it's a must have **

NvCplDaemon>>>System Tray icon used to change display settings, change the clock rate and memory speed for nVidia based graphics cards.
Synaptics touchpad tray icon.
nwiz>>>Associated with the newer versions of nVidia graphics cards drivers.

Pinger >>>Pinger is the resident program for Toshiba updates.

SunJavaUpdateShed>>>Java update scheduler

SynTPEnh>>> Synaptics touchpad tray icon.**

ctfmon.exe>>>nvolved with the language/alternative input services in Office XP

SUPERAntiSpyware >>>obviously you know that is is the SUPERAntispyware program

TOSCDSPD>>>Related to CD/DVD drivers.

As you see none of the programs are bad programs, all have a good reason to be on the computer and either came with the computer or, in the case of SAS, installed by you. Do they all have to auto start? No they don't but they would have nothing to do with any type of infection or certainly should not be classed as bad programs.
With the exception of the ones I have noted with ** you can turn off those, the ones with ** leave alone.
But none of them hurt anything so if you normally use them all you can leave them alone. Many have probably been there since you purchased the computer.
None of them would be a factor in running DDS. It is a simple scanner, why it won't run, I don't really know. Have you emptied all temp files? How full is your hard drive?
DDS should most definitely run in Safe Mode, I haven't seen it not run in Safe Mode.

Vrank92 0 Newbie Poster · Answer 12 · 2011-12-06T20:06:15+00:00

hmmmm...
That's about what I found for those programs as well, I was kind of hoping you would notice some odd capitalization or something that pointed to one of the programs being a fake that I wouldn't catch.

The DDS thing is really confusing me, I have to say.
I have 52 Gigs open on the HDD, and temp files have been cleaned multiple times.
Any idea of what part is hanging it up? (do certain #'s show up as certain processes run as far as you know? It always hangs on the same one.) I'll redownload from the link you sent, and if there is still no luck I might try to get in touch with the creator, maybe that'll lead the way.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 13 · 2011-12-06T20:57:05+00:00

There is no way to tell where DDS is hanging, nothing shows during the scan. Do you have your Norton, SpyBot and all security programs 100% turned off when running this scan?
Did you try it in Safe Mode? NOT safe mode with networking but Safe Mode, you never said. It will still do a full scan in safe mode.

Vrank92 0 Newbie Poster · Answer 14 · 2011-12-06T21:01:53+00:00

Tried scanning in safe mode (not networking and not command line) a few times, always the same. Also tried it with the fresh download. Still nothing. I sent a message to sUBs at bleeping, maybe if they respond it'll get some clues for me.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 15 · 2011-12-07T00:30:28+00:00

If you do get a response please post here with their recommendations.

Vrank92 0 Newbie Poster · Answer 16 · 2011-12-07T22:46:32+00:00

No responce yet. I'm getting close to a system wipe, so I tried running ComboFix (saw a few forums where people had the same GMER error where it was suggested. It found rootkit.zeroaccess already, and froze after a popup about find possibly another rootkit. I'm switching and running in safemode now. I'll let you know if I find anything.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 17 · 2011-12-07T23:07:59+00:00

You should not have run Combofix without first being instructed to do so.
You cannot run the program again. Their information is very clear about this:

http://www.bleepingcomputer.com/forums/topic273628.html/page__hl__combofix

ComboFix is an Anti-Malware tool used by advanced malware technicians
specifically trained in its use.

Please DO NOT USE ComboFix on your own without supervision!!!

Run Combofix ONCE only!!

There are only TWO legal sites to obtain this tool and be guaranteed that it is an up to date version.

Where did you get your copy?

Vrank92 0 Newbie Poster · Answer 18 · 2011-12-07T23:20:42+00:00

I got it from bleeping computer. Like I said, I'm at the point of a HDD wipe and OS reinstall, so I figured running it couldn't really do that much harm. Worse case I still end up wiping my HDD completely.

iexplore self running, and google redirects on all browsers

Recommended Answers Collapse Answers

All 23 Replies

Recommended Answers