Remnants of a virus still on my PC

corbyboy

I had an infection on my PC yesterday (I believe it was called Bamatil). I removed a lot of files and registry entries that it created and virus scans are showing up as no infection now.

But a lot of my browsing is being hijacked onto antivirus websites. This only happens on IE, not Firefox. The only thing I could think of was the hosts file, but that is clean.

I have followed all the standard steps to get rid of this but I don't seem to be getting anywhere. Does anybody have any ideas?

corbyboy

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:10:23, on 07/03/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19019)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Chris\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
\Chris's data\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FCTBPos00Pos - {B7C2F0D8-2209-4693-A15D-5A537211D48B} - C:\Program Files\Nectar Search Toolbar\Toolbar.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Nectar Search Toolbar - {8020143D-5926-4394-A04D-DD0B649DA121} - C:\Program Files\Nectar Search Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Google Update] "C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {EBB176D2-AF75-4706-832F-4C8448F72757} (TNSClickerc.Clicker) - http://www.shopandscan.com/TNSClickrc.CAB
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acunetix WVS Scheduler v6 (AcuWVSSchedulerv6) - Acunetix Ltd. - C:\Program Files\Acunetix\Web Vulnerability Scanner 6\WVSScheduler.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - SOURCENEXT - C:\Windows\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EASEUS Agent - CHENGDU YIWO Tech Development Co., Ltd - C:\Program Files\EASEUS Todo Backup 2.0\bin\Agent.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: Google Update Service (gupdate1c97c096a3ddd98) (gupdate1c97c096a3ddd98) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TipCtrl - Unknown owner - C:\Program Files\uTIPu\TipCtrl.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7378 bytes

Browntoa

what did you remove it with ??

did you use malwarebytes ??


post the log file from your last scan

corbyboy

I previously used Microsoft Security Essentials but had to run it in Safe Mode as this particular virus blocks it working.

I used Malwarebytes after that and it removed a few things. Here is the log:

Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org

Database version: 5977

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19019

07/03/2011 01:08:06
mbam-log-2011-03-07 (01-08-06).txt

Scan type: Quick scan
Objects scanned: 151270
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\$RECYCLE.BIN\s-1-5-21-2264184497-833179889-1779411501-1003\$R7R93TW.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-2264184497-833179889-1779411501-1003\$RFIJF00.exe (Trojan.LVBP) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-2264184497-833179889-1779411501-1003\$RFQC1TT.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-2264184497-833179889-1779411501-1003\$RGV3N93.exe (Trojan.LVBP) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-2264184497-833179889-1779411501-1003\$ROJC71Q.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-2264184497-833179889-1779411501-1003\$RUST2XU.exe (Rogue.SecurityShield) -> Quarantined and deleted successfully.
c:\Users\Chris\AppData\Local\Temp\ntoskrnla.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Browntoa

bleeping computer link is down so download this and run it , post that log file when done

How to use combofix:

• Disable or Close all anti-spyware, anti-malware antivirus real-time protection, which may affect ComboFix.
• Download (Download) the latest official version of ComboFix (2.8mb) save to you desktop
• Close all programs of you computer
• Double click ComboFix.exe on you desktop
• When Combofix finished, it will create logs for you.

if you cannot disable Microsoft security then uninstall for now and then put it back when clean

Browntoa

edit

link is back up now with the full guide here

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

aliEnRIK

Definitely run combofix

also
Reset internet explorer

1. Open Internet Explorer.
2. Click Tools, and then click Internet Options.
3. Click the Advanced tab.
4. Under Reset Internet Explorer Settings, click Reset.

corbyboy

I have uninstalled my current AV program (Microsoft Security Essentials) and tried to run Combofix, but the computer is rebooting with a blue screen part way through the scan.
This is actually the first time I have ever seen a blue screen on Vista.

I have everything backed up so I think a reinstallation of Windows might be the best way forward from here.

corbyboy

Ok, so here's what happened in the last day. I ran the recovery discs and restored my factory settings. However, I was still having the problems so I suspect this hasn't restored all files to their original.

After trying a few times I managed to get Combofix to finish. Here is the log:

ComboFix 11-03-08.01 - Chris 08/03/2011 22:55:30.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.2038.1006 [GMT 0:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\oem13.inf
.
.
[URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL] - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-09 03:25 . 2007-08-28 20:43 170520 ----a-w- c:\windows\system32\igfxzoom.exe
2011-03-09 02:32 . 2011-03-09 02:32

---

d

---

w- c:\windows\system32\Lang
2011-03-09 02:32 . 2007-08-28 20:43 399896 ----a-w- c:\windows\system32\igxpun.exe
2011-03-09 02:32 . 2006-11-10 17:25 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-03-09 02:32 . 2011-03-09 02:32

---

d

---

w- c:\program files\CONEXANT
2011-03-08 23:01 . 2011-03-08 23:01

---

d

---

w- c:\users\Default\AppData\Local\temp
2011-03-08 21:51 . 2011-02-23 09:35 5943120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E06D286-E746-4B4E-8C37-7003DE4DC55E}\mpengine.dll
2011-03-08 21:46 . 2010-11-30 10:43 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BC76CE0D-4D15-40F6-9B3C-D5DF964D8DCF}\gapaengine.dll
2011-03-08 21:44 . 2011-03-08 21:44

---

d

---

w- c:\program files\Microsoft Security Client
2011-03-08 21:44 . 2010-04-05 17:03 902024 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-03-08 21:44 . 2010-04-05 17:02 220040 ----a-w- c:\windows\system32\drivers\netio.sys
2011-03-08 21:44 . 2010-04-05 17:02 98184 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2011-03-08 21:44 . 2010-04-05 16:29 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2011-03-08 21:44 . 2010-04-05 16:29 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2011-03-08 21:44 . 2010-04-05 16:28 328704 ----a-w- c:\windows\system32\BFE.DLL
2011-03-08 20:57 . 2011-03-08 20:57

---

d

---

w- c:\programdata\Malwarebytes
2011-03-08 20:57 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-08 20:57 . 2011-03-08 20:57

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2011-03-08 20:57 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-08 20:15 . 2011-03-08 20:15

---

d

---

w- c:\program files\Acer
2011-03-08 20:15 . 2011-03-08 20:15

---

d

---

w- c:\programdata\Yahoo! Companion
2011-03-08 20:11 . 2007-11-30 15:51 15392 ----a-w- c:\windows\system32\drivers\int15.sys
2011-03-08 20:11 . 2007-11-06 09:30 6080 ----a-w- c:\windows\system32\drivers\zntport.sys
2011-03-08 20:11 . 2007-11-06 09:30 8704 ----a-w- c:\windows\system32\drivers\TVicPort64.sys
2011-03-08 20:11 . 2007-11-06 09:30 15656 ----a-w- c:\windows\system32\drivers\int15_64.sys
2011-03-08 20:11 . 2007-11-06 09:30 14544 ----a-w- c:\windows\system32\drivers\TVicPort.sys
2011-03-08 20:11 . 2007-11-06 09:30 13096 ----a-w- c:\windows\system32\drivers\zntport64.sys
2011-03-08 19:54 . 2007-07-17 19:33 368640 ----a-w- c:\windows\system32\CheckD2DSystem.exe
2011-03-08 19:54 . 2006-11-12 11:54 327680 ----a-w- c:\windows\system32\Remove_eRecovery.exe
2011-03-08 19:54 . 2006-11-10 17:27 16384 ----a-w- c:\windows\system32\LauncheRyAgentUser.exe
2011-03-08 19:54 . 2005-12-09 09:12 16384 ----a-w- c:\windows\system32\ClearEvent.exe
2011-03-08 19:54 . 2006-07-20 10:33 65536 ----a-w- c:\windows\system32\NATTraversal.dll
2011-03-08 19:53 . 2011-03-08 19:53

---

d

---

w- c:\program files\Launch Manager
2011-03-08 19:50 . 2007-03-14 21:02 29744

---

w- c:\windows\system32\msxml3a.dll
2011-03-08 19:50 . 2007-03-14 21:02 49712 ----a-w- c:\windows\system32\msxm733b.rra
2011-03-08 19:50 . 2011-03-08 19:50

---

d

---

w- c:\program files\CyberLink
2011-03-08 19:50 . 2001-09-05 04:18 225280 ----a-w- c:\program files\Common Files\InstallShield\IScript\iscript.dll
2011-03-08 19:50 . 2001-09-05 04:14 176128 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-03-08 19:50 . 2001-09-05 04:13 32768 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-03-08 19:50 . 2001-09-05 04:18 77824 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-03-08 19:50 . 2007-03-14 04:54 610436 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-03-08 19:49 . 2011-03-08 19:49

---

d

---

w- C:\Intel
2011-03-08 19:47 . 2011-03-08 19:53

---

d

---

w- c:\users\Chris
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 02:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-27 535336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.

---

Supplementary Scan

---

.
uStart Page = about:blank
mStart Page = hxxp://en.uk.acer.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-eRecoveryService - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-08 23:01
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: Hitachi_HTS542580K9SA00 rev.BBBOC31P -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86D84439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d8a7b8]; MOV EAX, [0x86d8a834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81CD7FEF] -> \Device\Harddisk0\DR0[0x86319788]
3 CLASSPNP[0x827A2745] -> ntkrnlpa!IofCallDriver[0x81CD7FEF] -> [0x86243870]
5 acpi[0x8069E6A0] -> ntkrnlpa!IofCallDriver[0x81CD7FEF] -> [0x8620E8A8]
\Driver\atapi[0x86319390] -> IRP_MJ_CREATE -> 0x86D84439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-4 -> \??\IDE#DiskHitachi_HTS542580K9SA00_________________BBBOC31P#5&2d3b680d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-08 23:03:39
ComboFix-quarantined-files.txt 2011-03-08 23:03
.
Pre-Run: 20,425,248,768 bytes free
Post-Run: 20,478,033,920 bytes free
.
- - End Of File - - 199132F6BAB0CE078E8F667F1CD17542

As you can see it removed a rootkit. However, the problems persist: hijacked searches and Windows Update is blocked.

Any further advice for me?

aliEnRIK

Download HostsXpert
http://www.softpedia.com/progDownload/Hoster-Download-27041.html
and then follow the below steps.
* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program

Ill check the log in time

corbyboy

aliEnRIK wrote: »

Download HostsXpert
http://www.softpedia.com/progDownload/Hoster-Download-27041.html
and then follow the below steps.
* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program

Ill check the log in time

Thanks for this. I did what you said, but the hosts file had not been modified in any way.