WiredWX Hobby Weather ToolsLog in

 


100k searches issue

3 posters

description100k searches issue Empty100k searches issue

more_horiz
Hi,

I've got a something where my Google searches were redirected to 100K searches when I clicked on any of the search results. That lasted for one day and now my Symantec file system auto protect is malfuctioning and I'm denied access to any Windows installer.

I tried running OTL.com but got a a dialog box stating that "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I do have administrators rights.

I ran aswMBR.exe and have this log file:

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-29 19:11:47
-----------------------------
19:11:47.484 OS Version: Windows 5.1.2600 Service Pack 3
19:11:47.484 Number of processors: 4 586 0x2505
19:11:47.484 ComputerName: 9WS4WM1 UserName: pscully
19:12:01.796 Initialize success
19:12:31.281 AVAST engine defs: 11072900
19:12:36.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:12:36.093 Disk 0 Vendor: WDC_WD16 01.0 Size: 152627MB BusType: 3
19:12:36.109 Disk 0 MBR read successfully
19:12:36.109 Disk 0 MBR scan
19:12:36.359 Disk 0 Windows XP default MBR code
19:12:36.390 Disk 0 scanning sectors +312560640
19:12:36.484 Disk 0 scanning C:\WINDOWS\system32\drivers
19:13:22.171 Service scanning
19:13:23.906 Service SysPlant C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
19:13:23.906 Service Teefer2 C:\WINDOWS\system32\DRIVERS\teefer2.sys **LOCKED** 32
19:13:23.921 Service WGX C:\WINDOWS\System32\Drivers\WGX.SYS **LOCKED** 32
19:13:23.921 Service WPS C:\WINDOWS\system32\drivers\wpsdrvnt.sys **LOCKED** 32
19:13:23.921 Service WpsHelper C:\WINDOWS\system32\drivers\WpsHelper.sys **LOCKED** 32
19:13:24.421 Modules scanning
19:14:11.687 Disk 0 trace - called modules:
19:14:11.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:14:11.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7b78a0]
19:14:11.718 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a20c028]
19:14:36.046 AVAST engine scan C:\WINDOWS
19:15:11.656 AVAST engine scan C:\WINDOWS\system32
19:17:55.375 AVAST engine scan C:\WINDOWS\system32\drivers
19:18:11.078 AVAST engine scan C:\Documents and Settings\pscully
19:57:55.250 AVAST engine scan C:\Documents and Settings\All Users
20:05:02.031 Scan finished successfully
20:06:50.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\pscully\Desktop\Fixes\MBR.dat"
20:06:50.078 The log file has been saved successfully to "C:\Documents and Settings\pscully\Desktop\Fixes\aswMBR.txt"

I then ran SecurityCheck.exe and got this log file:

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Symantec Endpoint Protection
Rockwell Windows Firewall Configuration Utility 1.00.03
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Java(TM) 6 Update 26
Java 2 Runtime Environment, SE v1.4.2
Adobe Flash Player 10.3.181.34
Mozilla Firefox (3.6.18) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````

Any help will be appreciated.

Thanks in advance,

description100k searches issue EmptyRe: 100k searches issue

more_horiz
Hi,

Please download ComboFix 100k searches issue Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

100k searches issue Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
100k searches issue RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

description100k searches issue EmptyComboFix results

more_horiz
Hi Sneakyone,

I tried to disable Symantec Endpoint Protection but the disable was grayed out.
Here is the ComboFix log, I attached it because it looked like an external link or email.

Thanks for your help.

description100k searches issue EmptyComboFix log

more_horiz
Here it is for real (I hope):

description100k searches issue EmptyRe: 100k searches issue

more_horiz
Hi,

100k searches issue Bf_new Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

description100k searches issue EmptyRe: 100k searches issue

more_horiz
Hi,
Here is the log from Malwarebytes:



Thanks in advance,

description100k searches issue EmptyRe: 100k searches issue

more_horiz
Hi,

I ran malwarebytes in safe mode as described in the Using malwarebytes Guide and posted that log in Post #6.
I then ran it again in normal mode twice and got the following two logs that I concatenated into one file.

Thanks,

description100k searches issue EmptyRe: 100k searches issue

more_horiz
Hi,

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

description100k searches issue EmptyRe: 100k searches issue

more_horiz
Hi,

Here is the log from ESET:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=639feb87add2954580920f367a8b6a34
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-07-31 06:12:05
# local_time=2011-07-31 02:12:05 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=200996
# found=0
# cleaned=0
# scan_time=6257
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=639feb87add2954580920f367a8b6a34
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-05 07:52:33
# local_time=2011-08-05 03:52:33 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=237513
# found=3
# cleaned=3
# scan_time=21654
C:\System Volume Information\_restore{39A642AC-C956-49A1-ADCF-C297E6B297EC}\RP179\A0036050.sys a variant of Win32/Rootkit.Kryptik.DM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{39A642AC-C956-49A1-ADCF-C297E6B297EC}\RP179\A0036051.ini a variant of Win32/Sirefef.CH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{39A642AC-C956-49A1-ADCF-C297E6B297EC}\RP188\A0036457.ini a variant of Win32/Sirefef.CH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


My Symantec Endpoint Protection also found Trojan.Zeroaccess when I started my machine at home.

Thanks,

description100k searches issue EmptyRe: 100k searches issue

more_horiz
Hi,

How's your computer running now?

description100k searches issue EmptyRe: 100k searches issue

more_horiz
Hi,

I'm still denied access to any windows installer. It either does the configuration of the installer and stops or I get a dialog box with: "Cannot launch C:\Windows\System32\msiexec.exe
Access is denied"

I cannot run OTL.com either.

Thanks in advance,

description100k searches issue EmptyRe: 100k searches issue

more_horiz
Hi,


  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

    • Download Win32kDiag (Win32kDiag.exe) - #1
    • Download Win32kDiag (Win32kDiag.exe) - #2
    • Download Win32kDiag (Win32kDiag.exe) - #3

  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
  • description100k searches issue EmptyRe: 100k searches issue

    more_horiz
    Hi,

    Here is the Win32kDiag log file:

    Running from: C:\Documents and Settings\pscully\Desktop\Fixes\Win32kDiag.exe

    Log file at : C:\Documents and Settings\pscully\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...



    Cannot access: C:\WINDOWS\system32\CCM\CcmExec.exe

    [1] 2009-09-18 04:00:00 764768 C:\WINDOWS\system32\CCM\CcmExec.exe ()



    Cannot access: C:\WINDOWS\system32\msiexec.exe

    [1] 2008-04-14 06:42:30 78848 C:\WINDOWS\$NtUninstallKB942288-v3$\msiexec.exe (Microsoft Corporation)

    [1] 2008-05-19 02:57:42 95744 C:\WINDOWS\system32\dllcache\msiexec.exe (Microsoft Corporation)

    [1] 2008-05-19 02:57:42 95744 C:\WINDOWS\system32\msiexec.exe ()





    Finished!

    Thanks,

    description100k searches issue EmptyRe: 100k searches issue

    more_horiz
    Hi,

    Submit a file for analysis.

    1. Please visit this website: VirusTotal.com
    2. Press the "Browse" button and locate the following file in bold:
      C:\WINDOWS\system32\msiexec.exe
    3. Press the "Upload button to submit the file for analysis.
    4. Allow it to be scanned, it could take a few minutes depending on server load.
    5. Copy and paste the result back here.

    description100k searches issue EmptyRe: 100k searches issue

    more_horiz
    Hi,

    The file did not want to be uploaded. The main analysis page tried to upload and did nothing else. I tried installing the Uploader 2.0 and it responded the it couldn't open the file.

    Thanks,

    description100k searches issue EmptyRe: 100k searches issue

    more_horiz
    privacy_tip Permissions in this forum:
    You cannot reply to topics in this forum