Vrank92

I got it from bleeping computer. Like I said, I'm at the point of a HDD wipe and OS reinstall, so I figured running it couldn't really do that much harm. Worse case I still end up wiping my HDD completely.

Vrank92

No responce yet. I'm getting close to a system wipe, so I tried running ComboFix (saw a few forums where people had the same GMER error where it was suggested. It found rootkit.zeroaccess already, and froze after a popup about find possibly another rootkit. I'm switching and running in safemode now. I'll let you know if I find anything.

Vrank92

Tried scanning in safe mode (not networking and not command line) a few times, always the same. Also tried it with the fresh download. Still nothing. I sent a message to sUBs at bleeping, maybe if they respond it'll get some clues for me.

Vrank92

hmmmm...
That's about what I found for those programs as well, I was kind of hoping you would notice some odd capitalization or something that pointed to one of the programs being a fake that I wouldn't catch.

The DDS thing is really confusing me, I have to say.
I have 52 Gigs open on the HDD, and temp files have been cleaned multiple times.
Any idea of what part is hanging it up? (do certain #'s show up as certain processes run as far as you know? It always hangs on the same one.) I'll redownload from the link you sent, and if there is still no luck I might try to get in touch with the creator, maybe that'll lead the way.

Vrank92

I only mentioned spybot because I happened to notice that in the advanced area, its not normally something I even have on my system, normally its just norton 360 and malware bytes.

Is there another spot to download dds.scn from? I got it from the link in the "things to put in your post" stickied post. I downloaded it again, ran straight safe-mode (Is there a difference I should care about right now between it and safe-mode with command line?), and same scenario- I timed it, 11 mins to the point it drops, then it stops responding. Could it also go back to whatever was making it not run at all before? (When you gave me the file to add to my registry)

Here is the thing Spybot has Red:
SmoothView - C:\Program Files\TOSHBA\TOSHIBA Zooming Utility\SmoothView.exe

Yellow is:
DLA - C:\WINDOWS\System32\DLA\DLACTRLW.EXE
IntelZeroConfig - "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
NDSTray.exe - NDSTray.exe
NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz - nwiz.exe /installquiet
Pinger - c:\toshiba\ivp\ism\pinger.exe /run
SunJavaUpdateShed - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
SynTPEnh - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
SUPERAntiSpyware - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
TOSCDSPD - C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

I was as accurate as possible with Caps and punct, FYI.

Vrank92

I left the override alone, tried to run both GMER and DSS in safemode, same results- Limited GMER access with the same error message, DSS didn't freeze the machine, but was unresponsive after getting to the exact same point in the scan (took about 4 mins to get there, didn't move for the next 2 hours).

I saw in S&Ds advanced options that it analyses your running/startup programs, and it had a few yellow (Iffy) and one red (bad) program picked out, although my google searches on the "bad" program had said it was legit. I can log them on here if that'll help, otherwise I think I'll start doing a systematic turn off/reboot one at a time to see if any have an effect.

Vrank92

I turned off teatimer, but no somehow safemode slipped my mind, I'll get on that now!

Should I have spybot fix the override?

Vrank92

After 3 attempts, including one over night, I can get DDS running, but after about 4 minutes (#'s get about 3/4 across the screen, the last one is under the "R" in Where (..post these logs to the forums WHERE you were asked to run...), and while my mouse still moves, the system freezes: Clock stops, Alt-CTRL-Del unresponsive, have to hard re-boot.

Also, in looking through old scan logs, SuperAntispyware did find a trojan a few days in:
Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\AMY\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\44\141B5F6C-6FBC4B14

Also, the one thing I haven't "fixed" in Spybot scans is this:
Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
as the googles were telling me that is likely an effect of norton or another antivius software. Should I try fixing that and see what it does? I will run a new scan to let you know exactly what it says in a bit.

Vrank92

I may hav explained myself poorly. I tried to run it, and nothing happened- hour glass for a few seconds, then nothing. I opened task manager, and didn't see it running. Tried to run again, and didn't see it pop up at all. I moved it into the TDSS folder, and tried to run it, and it popped up in task manager for a few seconds, then disappeared, then after that it didn't even pop up. Noticing a trend, I tried renaming it, and the same thing happened, ran for a few seconds, then closed, then nothing.

Since it didn't run as specified, I tried doing some trouble shooting.

Vrank92

I'll get on that file now, thanks. I tried to run TDDSKiller, the first time I try to run it from a unique folder or with a new name, it shows as running is my task list for maybe 4 seconds, then closes. After that, until I rename and/or move, it doesn't even show as running. I'll get you that DDS scan ASAP.

Vrank92

I turned off tea timer, and after reboot will run the scan and report in.

In terms of the DDS scan, when I click it, instead of running in command line, I get a "do you want to run this" box, hit yes, it opens a notepad window that is blank for a bit, then fills with text, much of which is non-alpha-numeric.  It never seems to run as a program.

"MZ       ÿÿ  ¸       @                                   Ø   º ´ Í!¸LÍ!This program cannot be run in DOS mode.

$       1¸„:uÙêiuÙêiuÙêi¶ÖµiwÙêiuÙëiîÙêi¶Ö·idÙêi!úÚiÙêi²ßìitÙêiRichuÙêi                        PE  L ÆãK        à   P        0ó  °      @                         í     €                           `      `                                                                                                          UPX0                             €  àUPX1     P   °  F                 @  à.rsrc             J              @  À                                                                                                                                                                                                                                                                                                                                                                                                                   3.07 UPX!
    •»    $И…‚Û 'C   „  & "ÿ÷ÿU‹ìƒì\ƒ}t+F‹Eu
ƒH‹
¨>Bÿ¿lÿ ‰HPÿuÿHr@ é uSÝŒ}÷V‹5°E¤WPLƒeôíæl»1EäP‹}ð¿ý±·ðDp; ï¶FRVV¯Uuÿ¿ýè‹Ï+MèÁ‰M™÷ÿ3ÒŠðQùÛÍNUMèÁ‹Ê1T»vé>ŠÈPE3Áá×m··ÀÈsôPBø¢p‡™åìrEðPˆTßÞ¾½ÿÓè9}qŒwÿ ƒ~Xÿºûteÿv4½5…À3tnÛ¶/jWÇ:« èî"Ý͹*Ê )XWKpÛg›ÛÿXÖðh -P¹gWøjÿh 6%Xr¿9Yˆw¤\_^3À[ÉÛßð·Â_‹L$¡ÈF‹ÑSiÒAVûÝÿÿW‹TöÂtOq3ÿ;5ÌsB‹Îiɼ}YþD‹ÁGët Ûÿö/BO…Ét ë
u‹Ù3Úƒã9Ù´Û³÷‰F1ArÊt[Â…wÃ7îQQ‹U¿òiö˜{À3ÉóW?üB‹F¨^~ìö9Mt$¾B‰;„D‹ÂiÀ°ðýG|B‹‡
,RÛËö÷#ëu(›@ÿEüµwÍtëø;A‹Ðr¼ùÛ7
͈û,lü tóø·ù/ƒN@ëç‹€áƒÉ‰ëÙ?ö?    V3öƒù s49Èv,Pö¿ð$¨uGÓç…züt~^°ÿ$þ‰FÂóÙò[Ù?á¡­seùZám†”ØB=#¼ïð+üß3Û9tK;ßsEÕrƒÆ5¶­°d„b(ý­pÛ <˜¦‹¾@ƒâÓàì…w¿«ü#È‹ÁÓâ;ÂvCÆxw[w{ßrÆt
÷ƒVã rŸßÚîmCüóŠ‹DÓN}@¹ÁmøÛ @eÁà
+ÈQ;Jِq³ôvt$öj‹ÆxÐkÀtÜ]¸øƒ8C\P!0=¯ÿökœiCu@FëH‹£ãÛÛð+&|$ž/Œ{jv7ž{w5th0u 
u0q³±u/Ph¡ÿe…DÞ¯a{…ö}’Î^Š¸[ëõ»ïîÐ|'Ctlj…™hpŸ°sŽŸË? Qì¤o8^MÊ¡"JØWjc»°ðY}ØNÌKó¥ñÜcÿûmàš‹úÁæ
ë‰]üÁç
ñùMû…ïú܉
h›M؃ÁþÚA‡˜ý×·½$(Sá?(
ÿlÌlÛß½9]Ì„c
!SÇø¶9vBH-…’9Öðw_‡S
Õƒø±P8³-½×ˆ|„ÌFüÜ¿-¼
‚^äu"‹ˆ ?ö·s7yˆ`<‹§-k±±)‹Ö{/ó4…a‹;Ë”À#¬¾Ç¶…C…6ÿ4•VÆ[ø/WpÊ]`xl†Ö7+tRQ%„ÇœëÎ<„ÿ>[jð=V·}‚ò«àº„š…ÝØ=ÈÎ!X‹øWFéþ—ï_f;ótBj\V
€SWŠˆˆEc³Ù:€u  |=·÷j5Û†ªW
x¨,ø…{¦Š'ˆF:Ãu¾àtjæBw„ÿmWh ˜Kb.t<>Äîjõ`SnN]ŸµcovjÐjß}‹ø»E¶#WV„pòjã<1×Íoíâê?Ø¿fk
ÔWH°jäaniM~P‹·¥o:éHl#“;Æv%8²cþ³!C;ÃtƒÀ,`²ëVþvÛ    ÇØìˆm…£D#6I7WÌhÿdÈBÇ{QVzSmdÍ>9o,jïíŸhü
ÁÞ¢j1žÁƒàV‰uø³cÿkøzFÂV¾p›¥VŠ‘ÞY„IP"ÂÙwðßK~MÄ¿p£­}|1ʸm]‡Ì“èÏQw7·iü`‹Èñý
Ñ€#ÁÆÞ\ã÷ØÒoÚu•ÖuÜ5C•êh$@íÛ´19þÿuv(S†ˆÅF–@WV
-ùEZ1ðÝ„WPâÃÞØÁøPD#ƒ6·/е§S'HVjúé<ŽlúN/øjâsÁ±¤‹|ƒ´(êóîÓfTSSzuäÿ
ÖÖ·6èÿ(Äì^‘
îÂëèP…¢ßŒ¹¨øì;ûÞ$ƒ~ÌÅþÿþujéV®`~ëjî~¤%ÎhR pSë4
±[¦'ÜPÃYçVjØÂiD;¹Jò´¹…ìè†Wîðw’2Îø1‡'î  ÇzsKx´j!jõ6G0º   ïnÔ·J”}•td*[woh37Áäøˆ;ø~vx¼µ/sÔÇUnoc—»â„û}x,y‰»soC‹ûÿ›ÿˆ7’ÖMN: o1vìIÛÉR‰ððpÐä5±Ù"ôëì)W²äNŠ)KP¸Oøl,6w´Vô?à]
Úy¸Bžÿ m9{KOæoÕð-Ùnÿ;ð|~–ësoèv†''œ,JìÕ¼À7ÄÔøwmè…¥)ÚÞ    ëb+^ÉÏ‹¡-lWäÇЖÛímù/ëJF#B3>Z04Û[îv+ÜuêÉë+   tø/>é
¹ôÕ8   úëE‹ƒÔùë&9Ù½ÓÿWŒ]òP†À¾— °ÄÌ›Ú-p¯}DH‹ßÝ|·Ž?uñ
ÑƒÇ–Þ  #ÜW³¡.•ýî]ÖKVP­;Ót%}ú8ù
.GçW£6<dë'…ühj@ÖåpàŽ“ªóF.ÞG¾R„‰‰5÷Ƙé„T×   ö¸\¬!ÃË„3á    פëD8•íCÂm!ÿuDŽMðÁù'fjjðUøŠ™kɆf™…`¹qÂæ²?Dë,E/ôFƒìŠ‡ÙÉŠöf›5v1Q#Í/-v©
CY&Üh&ß㌦ª‡FPg6Ê­s(rQTý1àù&ÌN¬%,J¹8’p¡ègîöð&ÛëA0Rq«Â/*.Àiv\5. j[ m0Û    ÈS¶S 5븙4hr)VÛOfû|P HjZ°f{c\8.@P¥áÂáÐS*’£tž\¥î˜£„  Š ?½ûF­¥ÊÆ‹ˆ
ˆ6÷Fî£h‰«çšm¢Š8·B„¦))6ïnèÞ‡lC¶ô`
<S  [\X
jËئ
‘8ÈjìÒ¥bpؖ訐¬îþZ% ...

Vrank92

Here's my HijackThis report:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:34:18 AM, on 12/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Documents and Settings\amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & ...

Vrank92

GMER Log 1 was blank.

GMER 2:

GMER 1.0.15.15641 - [url]http://www.gmer.net[/url]
Rootkit scan 2011-12-02 18:22:43
Windows 5.1.2600 Service Pack 3
Running: pd6obq7b.exe; Driver: C:\DOCUME~1\amy\LOCALS~1\Temp\pwryapog.sys

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB61590$\349758542 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\bckfg.tmp 995 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\L 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\L\qllsmjpa 456320 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000001.$ 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000002.$ 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\80000032.$ 0 bytes
File C:\WINDOWS\$NtUninstallKB61590$\349758542\U\80000032.@ 96256 bytes
File C:\WINDOWS\$NtUninstallKB61590$\920543175 0 bytes

---- EOF - GMER 1.0.15 ----

Vrank92 Newbie Poster

Ok, I seem to have quite a pickle here. About a week ago I started getting google redirects. I have done quite a bit of troubleshooting since, and this is everything I know:

-Google redirects on all browsers (firefox, IE, and Chrome- which I installed after the trouble started in the hope it would somehow avoid the issue)

-iexplore will open itself (with no visible windows) at one point playing music, but always eating RAM and CPU space

-I turned off System Restore

-I installed Norton 360 since the trouble started (had an extra seat) I've scanned with it (full scans both files and processes), malware-bytes, Trend-Micro Housecall, Spybot S&D, and SuperAntispyware. I've found a few things, but all have had at least one clear scan.

I had a few issues running the logs asked for:
-GMER had an error popup before running that said: LoadDriver(“C:\DOCUME~1\amy)LOCALS~1\Temp\pwyapog.sys”) error 0xC000010E: Cannot Create a stable subkey under a volatile parent key.

Only available checkmarks: Serivices, Registry, Files

I ran the scan with that for the logs I'll post

-DDS only runs as gabage in notepad (says its an autocad script)

Here are all my new logs:

[B]Malwarebytes' Anti-Malware 1.51.2.1300
[url]www.malwarebytes.org[/url][/B]

Database version: 8253

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/2/2011 8:34:09 PM
mbam-log-2011-12-02 (20-34-09).txt

Scan type: Full scan (C:|)
Objects scanned: 383968
Time elapsed: 2 hour(s), 8 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0 ...

Vrank92

This doesn't nessecarily help, but I have the exact same issue on my wifes laptop that started about a week ago. I've scanned with Spybot, Superantispyware, Trend Micro Housecall, Norton 360 System and processes scans, and malwarebytes. While they have found things, I have had at least one clean scan with each, with my system restore turned off, and I still have the same iexplore running tself in the background, and google results redirect to other sites on the first three clicks. I've checked my host file (It wasn't there at first actually, so I created one), and its all clear as well.

I was planning on posting to the main forum- does it make more sense to post here, or should I pust post a link to this forum as it seems like possibly the same issue?