Searching blocked by Google

Yes, green and yes, 6 images

Excellent!

Real quick...Do you happen to have Google Toolbar installed at all?

in Firefox, but it is not available for Chrome, which I used 90% of the time. i am not using Chrome since this happened, nor have I used Google since I started this process with you...using Firefox, K-Meleon and Bing only. But yes, Google Toolbar in Firefox

Please Download Kenco.exe by jpshortstuff and save it to your Desktop.

• Close all other programs before executing!.
  
• Double click Kenco.exe, to begin execution. Scan should only take a few minutes.
  
• When finished, the log file " Kenco.log" will open in Notepad.
  It will also be saved in the same location as Kenco.exe which should be on your desktop.
  
• Please post the contents of that log in your next reply.

kenko report, which incidentally took about 3 seconds, and you said a few minutes, so I hope it is accurate.

Kenco by jpshortstuff (31.12.09.1)
Log created at 19:11 on 09/05/2012 (Carolyn Blake)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========
Adobe Flash Player Updater.job -> [15:15 27/04/2012] 830 bytes
AppleSoftwareUpdate.job -> [11:56 17/02/2010] 284 bytes
GoogleUpdateTaskMachineCore.job -> [21:36 15/02/2010] 896 bytes
GoogleUpdateTaskMachineUA.job -> [21:36 15/02/2010] 900 bytes
GoogleUpdateTaskUserS-1-5-21-823518204-606747145-1177238915-1003Core.job -> [22:51 15/02/2010] 958 bytes
GoogleUpdateTaskUserS-1-5-21-823518204-606747145-1177238915-1003UA.job -> [22:51 15/02/2010] 1010 bytes
RealUpgradeLogonTaskS-1-5-21-823518204-606747145-1177238915-1003.job -> [23:07 02/02/2011] 294 bytes
RealUpgradeScheduledTaskS-1-5-21-823518204-606747145-1177238915-1003.job -> [23:07 02/02/2011] 302 bytes
User_Feed_Synchronization-{AD86CA84-E512-4EF7-9AEF-BA4F952FD154}.job -> [21:46 15/02/2010] 438 bytes

-=E.O.F=-

As far as we know here, your computer is indeed clean, bu let's do a couple of other checks:

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
  
• Double click aswMBR.exe to run it
  
• Click the Scan button to start the scan as illustrated below
  

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

awembr log file. It sat on the last line related to documents and settings for a very long time with no activity, and finally I clicked on save log. I assume it was finished but it never did say it was complete

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-09 19:56:15
-----------------------------
19:56:15.562 OS Version: Windows 5.1.2600 Service Pack 3
19:56:15.562 Number of processors: 2 586 0x170A
19:56:15.562 ComputerName: PRISS UserName:
19:56:16.031 Initialize success
20:08:07.125 AVAST engine defs: 12050900
20:08:18.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:08:18.187 Disk 0 Vendor: ST9250315AS 0002SDM1 Size: 238475MB BusType: 3
20:08:18.203 Disk 0 MBR read successfully
20:08:18.218 Disk 0 MBR scan
20:08:18.265 Disk 0 Windows XP default MBR code
20:08:18.265 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 49999 MB offset 63
20:08:18.281 Disk 0 Partition - 00 0F Extended LBA 188465 MB offset 102398310
20:08:18.296 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 188465 MB offset 102398373
20:08:18.312 Disk 0 scanning sectors +488376000
20:08:18.421 Disk 0 scanning C:\WINDOWS\system32\drivers
20:08:31.031 Service scanning
20:08:32.609 Service ASUSProcObsrv E:\I386\AsProcOb.sys **LOCKED** 21
20:08:44.421 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
20:08:48.046 Modules scanning
20:08:56.281 Disk 0 trace - called modules:
20:08:56.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
20:08:56.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad25ab8]
20:08:56.343 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000087[0x8ad59f18]
20:08:56.359 5 ACPI.sys[b9e54620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ad81d98]
20:08:56.781 AVAST engine scan C:\WINDOWS
20:09:07.281 AVAST engine scan C:\WINDOWS\system32
20:11:58.750 AVAST engine scan C:\WINDOWS\system32\drivers
20:12:15.703 AVAST engine scan C:\Documents and Settings\Carolyn Blake
20:13:20.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Carolyn Blake\Desktop\MBR.dat"
20:13:20.343 The log file has been saved successfully to "C:\Documents and Settings\Carolyn Blake\Desktop\aswMBR.txt"

Please disregard the previous asw scan, it was incomplete

Correct ASW scan log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-09 20:19:35
-----------------------------
20:19:35.265 OS Version: Windows 5.1.2600 Service Pack 3
20:19:35.265 Number of processors: 2 586 0x170A
20:19:35.265 ComputerName: PRISS UserName:
20:19:35.937 Initialize success
20:19:41.515 AVAST engine defs: 12050900
20:20:00.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:20:00.296 Disk 0 Vendor: ST9250315AS 0002SDM1 Size: 238475MB BusType: 3
20:20:00.312 Disk 0 MBR read successfully
20:20:00.328 Disk 0 MBR scan
20:20:00.359 Disk 0 Windows XP default MBR code
20:20:00.375 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 49999 MB offset 63
20:20:00.375 Disk 0 Partition - 00 0F Extended LBA 188465 MB offset 102398310
20:20:00.406 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 188465 MB offset 102398373
20:20:00.421 Disk 0 scanning sectors +488376000
20:20:00.531 Disk 0 scanning C:\WINDOWS\system32\drivers
20:20:16.953 Service scanning
20:20:18.500 Service ASUSProcObsrv E:\I386\AsProcOb.sys **LOCKED** 21
20:20:30.187 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
20:20:33.750 Modules scanning
20:20:50.265 Disk 0 trace - called modules:
20:20:50.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
20:20:50.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad25ab8]
20:20:50.343 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000087[0x8ad59f18]
20:20:50.359 5 ACPI.sys[b9e54620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ad81d98]
20:20:50.812 AVAST engine scan C:\WINDOWS
20:21:03.484 AVAST engine scan C:\WINDOWS\system32
20:24:44.187 AVAST engine scan C:\WINDOWS\system32\drivers
20:25:08.171 AVAST engine scan C:\Documents and Settings\Carolyn Blake
20:49:00.265 AVAST engine scan C:\Documents and Settings\All Users
20:55:33.000 Scan finished successfully
20:57:01.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Carolyn Blake\Desktop\MBR.dat"
20:57:01.468 The log file has been saved successfully to "C:\Documents and Settings\Carolyn Blake\Desktop\aswMBR.txt"

Your IP address is likely banned.

Call your ISP to get a new IP address assigned. This is best to be able to access Google again.

Thank you Jay for all your help. I am in Turkey and things are difficult here for getting things like that accomplished. I am leaving in 3 weeks so my problem may be solved then. I have only had this IP address for 3 weeks, having picked up this new service then. I wonder if there could be someone on my network who is doing something to cause this. I deeply appreciate your help and how you stuck with me through this. If I have the same problem when I move to Romania, I will be back to address it again.

It might have actually been malware. ComboFix reported deletions of two of the latest infections, reported in :

c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Carolyn Blake\g2mdlhlpx.exe IDENTIFIED as Trojan:fake-GoToMeeting Application
c:\documents and settings\Carolyn Blake\new.txt
c:\windows\~INSX362.EXE Commonly a Trojan paired with redirect malware
c:\windows\system32\drivers\etc\hosts.ics Static HOSTS file (modified by malware)
c:\windows\system32\roboot.exe Possibly related to Trojan.ZeroAccess

EXPLAINED:

Google takes these actions prevent DDoS, which is Distributed Denial of Service. When it detects potential suspicious behavior from an IP address, the IP address is put on a temporary or permanent ban list.

Problem is, the malware you had, had the ability to control your computer and send anonymous requests to unknown/known servers, such as Google.

Only way to solve this issue the hard way is to remove the malware first, and then wait it out.

The easy way is to change your IP address after the malware is removed.


Just curious...run this scan real quick:

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   
   
   
   • Download Win32kDiag (Win32kDiag.exe) - #1
     
   • Download Win32kDiag (Win32kDiag.exe) - #2
     
   • Download Win32kDiag (Win32kDiag.exe) - #3
     

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Ok, I'm on it...back as soon as it's done. I just tried to use Google again and it instantly asked me for a captcha, because of "unusual activity," so I closed it and went back to bing. BRB...

Running from: C:\Documents and Settings\Carolyn Blake\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Carolyn Blake\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

I just now filled out a form to join an online class...first time and only time, and I got this message (not from Google- I accessed the link from my email, and in Firefox)
Security Image Verification

We have received repeated subscriptions from your computer. To prevent automated signups we verify that it is a person signing up, and not an automated script.

Type the characters below, exactly as shown, into the box provided without spaces. The letters are case sensitive.

We monitor our system very closely to prevent the use of harmful programs to submit large numbers of signups, which may cause problems for other users, and generate undue Spam complaints.

Please open Notepad and enter in the following:

@echo off
echo DNS renewal >log.txt
echo %date% >>log.txt
ipconfig /flushdns >>log.txt
pause
ipconfig /release >>log.txt
pause
ipconfig /renew >>log.txt
pause
ipconfig /all >>log.txt
pause
start log.txt
exit

Then, click File > Save as...
Save as dns.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on dns.bat, and it will finish quickly and launch a log.

Please post that in your next reply.

I had to "press any key" several times to get it to run, after the cmd window opened, but here it is.

DNS renewal
Thu 05/10/2012


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.



Windows IP Configuration



No operation can be performed on Local Area Connection while it has its media disconnected.

No operation can be performed on Local Area Connection 4 while it has its media disconnected.

IP Address for adapter Wireless Network Connection has already been released.



Windows IP Configuration



No operation can be performed on Local Area Connection while it has its media disconnected.

No operation can be performed on Local Area Connection 4 while it has its media disconnected.

An error occurred while renewing interface Wireless Network Connection : The DHCP client has obtained an IP address that is already in use on the network. The local interface will be disabled until the DHCP client can obtain a new address.





Windows IP Configuration



Host Name . . . . . . . . . . . . : PRISS

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller

Physical Address. . . . . . . . . : 90-E6-BA-94-B4-30



Ethernet adapter Local Area Connection 4:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : TAP-Win32 Adapter V9

Physical Address. . . . . . . . . : 00-FF-E9-44-45-15



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter

Physical Address. . . . . . . . . : 00-25-D3-BF-53-68

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 0.0.0.0

Subnet Mask . . . . . . . . . . . : 0.0.0.0

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . : 255.255.255.255

You were not connected to the network when these operations were run?

Try the sign up process again for that one thing...

Also, if you do connect to the network, re-run the batch file as above (purposely has the pauses to press any key).

I am not sure about this. I was online through my regular service. What could this mean?
I have seen that "media disconnected" message many times during all these attempts to clean up my system. Yes I am online.

What current firewalls do you have? Do you have one on a router? One on the computer(s)?

First, before I answer your question, what does "media disconnected" indicate is going on?

I use the Windows XP native firewall, set to default. My router is an Airties RT-206v4...European I suppose, and its firewall is on, and this is the description:

Firewall protects your computers and your network aganist harmful attacks from the Internet. Your modem's firewall has Stateful Packet Inspection (SPI) feature that will inspect every packet coming from the Internet to your modem and will not allow any that is not authorized to pass through. Using the Firewall menu, you can also define advanced rules to allow or prohibit local users in your network to access the Internet, to open certain ports that allow packets to reach applications running on local clients, and to forward all incoming traffic to a certain computer.

Media disconnected means the network adapter or LAN adapter or ethernet hub is not connected to the internet.

Go to Start > Run, type in cmd and hit OK.

Type this in to the black box:

ping www.news.com > log.txt && log.txt

and hit enter...

post the log back to me please.

I did get a report, and I am assuming I entered the syntax correctly as per spaces.


Pinging phx1-rb-gtm3-tron-xw-lb.cnet.com [64.30.224.82] with 32 bytes of data:



Reply from 64.30.224.82: bytes=32 time=242ms TTL=238

Reply from 64.30.224.82: bytes=32 time=245ms TTL=238

Reply from 64.30.224.82: bytes=32 time=243ms TTL=238

Reply from 64.30.224.82: bytes=32 time=241ms TTL=238



Ping statistics for 64.30.224.82:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 241ms, Maximum = 245ms, Average = 242ms

I did it again, using a copy/paste and got a different response:



Pinging phx1-rb-gtm3-tron-xw-lb.cnet.com [64.30.224.82] with 32 bytes of data:



Reply from 64.30.224.82: bytes=32 time=239ms TTL=238

Reply from 64.30.224.82: bytes=32 time=238ms TTL=238

Reply from 64.30.224.82: bytes=32 time=240ms TTL=238

Reply from 64.30.224.82: bytes=32 time=241ms TTL=238



Ping statistics for 64.30.224.82:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 238ms, Maximum = 241ms, Average = 239ms

Okay...I need a closer test to your country... run this command please, the same way:

ping www.airties.com > log.txt && log.txt

Post the log when done, please.

Pinging www.airties.com [85.111.19.108] with 32 bytes of data:



Reply from 85.111.19.108: bytes=32 time=30ms TTL=55

Reply from 85.111.19.108: bytes=32 time=30ms TTL=55

Reply from 85.111.19.108: bytes=32 time=30ms TTL=55

Reply from 85.111.19.108: bytes=32 time=26ms TTL=55



Ping statistics for 85.111.19.108:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 30ms, Average = 29ms

Very good. Now, I'm curious...which Google are you using? Standard .com or other TLD (top level domain such as .co.uk or .it, etc.)?

Most of the time .com but sometimes my vpn is off and I might end up with .uk, .ro, .md, or .tr. I always make an effort to use US google, but sometimes I use my vpn and go thru UK or Romania or Moldova. I am in Turkey now.

I'm sticking to my previous opinion: http://www.GeekPolice.net/t28740p15-searching-blocked-by-google#199001

Thank you Jay for all your help. If your final advice is to get my provider to assign me a new IP address, I can try but I seriously doubt that I will have any success with that. In any case I leave Turkey in 2 weeks on May 28, to go to Romania, and if the problem is local it will be solved then. If I have the same issue, I will let you know.

I don't know if this is pertinent, but there is another user in my household who connects wirelessly as I do to the same router and she has never had this problem. In her case, she only does email and research for her writing, not the heavy usage I do.

You're saying the other user can connect and use Google.com in the same house?

Are your IP addresses similar or different?

I would have to check our IP addresses, but her computer and mine are both receiving a wireless signal from the same router. I will check our IPs tomorrow.

ok

we both have the same IP address. She also just told me that she is having trouble with Google, but different from mine. She navigates to a site, either from selecting a hit on the Google SERPs page, or from typing it in, and gets the 404 error, then if she hits the back arrow, the site will show up. I just verified this because it took me about 6 tries to get a site to come up on her computer that could tell me her IP, and then only by using the back arrow. I am only using Bing now, and have not tested Google since you and I started trying to sort this out.

Okay...well you know what to do, if it's even possible to work.

Hey there DM Jay,
I am now in Romania. At the end of your very dedicated attempt to help me sort out this Google blockage, you concluded that I needed to get a new IP assigned, but I declined because I was about to leave Turkey and that provider. Since arriving in Romania I am on a totally new, completely unrelated(to Turkey) provider, Romtelecom. I have been using Bing exclusively. Yesterday I tried using Google again and instantly received the notice of automated activity and had to use a captcha. So I backed off of Google and went back to Bing. A few min. ago I tried Google again and got this message:
We're sorry...
... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.

Here I am in Romania, used Google a total of about 5 times and this. I was using Chrome, I have AVG installed and I ran Malwarebytes on full scan today and got 0 hits. I am truly baffled and I do not have a clue what to do. Is it possible there is some deep hidden program buried in my OS? The thought of reinstalling XP gives me the heebie jeebies.

Let's take a look if you like!

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt



• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to the disclaimer.
  
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
  
• Press Scan button.
  
• type exit and reboot the computer normally
  
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
  

Thanks a gazillion for being willing to continue with this. It's become a quest with me now to find the gremlin. I will get on this tomorrow...being hours later than the US, it's already midnight here.

Okie dokie. See you on the other side of the moon.

I tried this and when I hit F8, I do not see any choice for Repair Your Computer. There is a line that says something..didn't write it down but I can if you need it...about debugger installed and do not select this.
So what do we do now?

Let's work with a similar tool, please:

Please download FarbarServiceScanner and run it on the computer with the issue.
http://download.bleepingcomputer.com/farbar/FSS.exe


Make sure the following options are checked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Farbar Service Scanner Version: 09-06-2012
Ran by Carolyn Blake (administrator) on 17-06-2012 at 13:20:28
Running from "C:\Documents and Settings\Carolyn Blake\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
  
• Double click aswMBR.exe to run it
  
• Click the Scan button to start the scan as illustrated below
  

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

AND


Please test your DNS Resolution by visiting here: http://www.dns-ok.us/

Tell me if that is green or not...

Also for this site: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Tell me if you see all six images at the top...

DNS Resolution: GREEN
All 6 images visible


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-17 22:34:36
-----------------------------
22:34:36.859 OS Version: Windows 5.1.2600 Service Pack 3
22:34:36.859 Number of processors: 2 586 0x170A
22:34:36.859 ComputerName: PRISS UserName:
22:34:37.953 Initialize success
22:40:34.359 AVAST engine defs: 12061700
22:40:46.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:40:46.406 Disk 0 Vendor: ST9250315AS 0002SDM1 Size: 238475MB BusType: 3
22:40:46.421 Disk 0 MBR read successfully
22:40:46.421 Disk 0 MBR scan
22:40:46.453 Disk 0 Windows XP default MBR code
22:40:46.468 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 49999 MB offset 63
22:40:46.484 Disk 0 Partition - 00 0F Extended LBA 188465 MB offset 102398310
22:40:46.500 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 188465 MB offset 102398373
22:40:46.515 Disk 0 scanning sectors +488376000
22:40:46.625 Disk 0 scanning C:\WINDOWS\system32\drivers
22:40:58.937 Service scanning
22:41:12.078 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
22:41:15.687 Modules scanning
22:41:21.640 Disk 0 trace - called modules:
22:41:21.671 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
22:41:21.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad7fab8]
22:41:21.703 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000088[0x8ad529e8]
22:41:21.718 5 ACPI.sys[b9e54620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ad52d98]
22:41:22.265 AVAST engine scan C:\WINDOWS
22:41:33.546 AVAST engine scan C:\WINDOWS\system32
22:44:19.078 AVAST engine scan C:\WINDOWS\system32\drivers
22:44:35.703 AVAST engine scan C:\Documents and Settings\Carolyn Blake
23:11:32.781 AVAST engine scan C:\Documents and Settings\All Users
23:21:23.015 Scan finished successfully

GMER

Note about this tool:

• This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
  
• This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
  
• No matter what is in the log, please post all the information/contents of the log.
  
• These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT"

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-18 21:18:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9250315AS rev.0002SDM1
Running: gmer.exe; Driver: C:\DOCUME~1\CAROLY~1\LOCALS~1\Temp\kxtdapog.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xB9ECFA50]
SSDT sptd.sys ZwEnumerateKey [0xB9F03FFE]
SSDT sptd.sys ZwEnumerateValueKey [0xB9F0438C]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xA65C5004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xA65C50D4]
SSDT sptd.sys ZwOpenKey [0xB9ECFA30]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA65C4D76]
SSDT sptd.sys ZwQueryKey [0xB9F04464]
SSDT sptd.sys ZwQueryValueKey [0xB9F042E4]
SSDT sptd.sys ZwSetValueKey [0xB9F044F6]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA65C4E1E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA65C4EBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA65C4F56]

INT 0x63 ? 8AE10CC8
INT 0x63 ? 8AE10CC8
INT 0x63 ? 8AE10CC8
INT 0x63 ? 8AE10CC8
INT 0x63 ? 8ABFBCC8
INT 0x63 ? 8ABFBCC8
INT 0x63 ? 8AE10CC8
INT 0x94 ? 8ABFBCC8
INT 0xA4 ? 8ABFBCC8
INT 0xB4 ? 8ABFBCC8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DAC 80504648 2 Bytes [76, 4D] {JBE 0x4f}
.text sptd.sys B9E95000 4 Bytes [A6, BB, 6E, 80]
.text sptd.sys B9E95005 27 Bytes [69, 6E, 80, 30, 68, 6E, 80, ...]
.text sptd.sys B9E95024 4 Bytes [74, 7F, E8, B9]
.text sptd.sys B9E9502C 88 Bytes [B4, 1A, 5E, 80, 76, 86, 5E, ...]
.text sptd.sys B9E95085 156 Bytes [57, 53, 80, 44, A2, 4F, 80, ...]
.text ...
.sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB9F8CD38]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B8CC18AC 5 Bytes JMP 8ABFB1D8
.text a1qr7h9i.SYS B8A95306 50 Bytes [00, 00, 00, 48, 03, 00, F0, ...]
.text a1qr7h9i.SYS B8A95339 23 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a1qr7h9i.SYS B8A95351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a1qr7h9i.SYS B8A953A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text a1qr7h9i.SYS B8A953B4 12 Bytes [40, 00, 00, C8, 50, 41, 47, ...] {INC EAX; ADD [EAX], AL; ENTER 0x4150, 0x47; INC EBP; ADD [EAX], AL; ADD [EAX], AL}
.text ...
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xA84D8280]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B9E96574] sptd.sys
IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B9E960C0] sptd.sys
IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B9E96FE0] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9E960C0] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9E96362] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9E962A4] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9E971BC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9E96FE0] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EAB312] sptd.sys
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KeGetCurrentIrql] 5E0001F4
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KfAcquireSpinLock] C2C95B5F
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KfReleaseSpinLock] 5F380008
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KfRaiseIrql] 56227411
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KfLowerIrql] A9763A68
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] F7C31352

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AE0F1F8

AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/ASUSTek Computer Inc)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 8ABFA1F8
Device \Driver\usbehci \Device\USBPDO-1 8ABD81F8
Device \Driver\usbuhci \Device\USBPDO-2 8ABFA1F8
Device \Driver\usbuhci \Device\USBPDO-3 8ABFA1F8
Device \Driver\usbuhci \Device\USBPDO-4 8ABFA1F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 8ABFA1F8
Device \Driver\usbehci \Device\USBPDO-6 8ABD81F8
Device \Driver\usbuhci \Device\USBPDO-7 8ABFA1F8
Device \Driver\Cdrom \Device\CdRom0 8AB303A0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8AB303A0
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A5031F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E9444515-56BF-446C-8E1D-97E9ED9B937B} 8A5031F8
Device \Driver\NetBT \Device\NetbiosSmb 8A5031F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9C8FE2C6-5E15-43BE-B1A7-20162ABF33FA} 8A5031F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_PNP8472 \Device\0000005d sptd.sys
Device \Driver\PCI_PNP8472 \Device\0000005d sptd.sys

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8ABFA1F8
Device \Driver\usbuhci \Device\USBFDO-1 8ABFA1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 896AF1F8
Device \Driver\usbuhci \Device\USBFDO-2 8ABFA1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 896AF1F8
Device \Driver\usbehci \Device\USBFDO-3 8ABD81F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6C1DE315-5661-4764-8FB9-ED7F722BD42A} 8A5031F8
Device \Driver\usbuhci \Device\USBFDO-4 8ABFA1F8
Device \Driver\usbuhci \Device\USBFDO-5 8ABFA1F8
Device \Driver\usbuhci \Device\USBFDO-6 8ABFA1F8
Device \Driver\usbehci \Device\USBFDO-7 8ABD81F8
Device \Driver\a1qr7h9i \Device\Scsi\a1qr7h9i1Port4Path0Target0Lun0 8AAFD1F8
Device \Driver\a1qr7h9i \Device\Scsi\a1qr7h9i1 8AAFD1F8
Device \FileSystem\Cdfs \Cdfs 8A5311F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB9 0x78 0x43 0xDE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0E 0xF9 0xCB 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x63 0x2A 0xFD 0x58 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB9 0x78 0x43 0xDE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0E 0xF9 0xCB 0x1B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x63 0x2A 0xFD 0x58 ...

---- Files - GMER 1.0.15 ----

File C:\ADSM_PData_0150 0 bytes
File C:\ADSM_PData_0150\DB 0 bytes
File C:\ADSM_PData_0150\DB\SI.db 624 bytes
File C:\ADSM_PData_0150\DB\UL.db 16 bytes
File C:\ADSM_PData_0150\DB\VL.db 16 bytes
File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
File C:\ADSM_PData_0150\_avt 512 bytes

---- EOF - GMER 1.0.15 ----

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  a1qr7h9i.SYS

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook 30.07.11 by jpshortstuff
Log created at 20:14 on 19/06/2012 by Carolyn Blake
Administrator - Elevation successful

========== filefind ==========

Searching for "a1qr7h9i.SYS"
No files found.

-= EOF =-

We need to use GMER to delete a service and remove the file:

• Open the gmer folder and double click gmer.exe to run the program
  
• On starting GMER will run a short scan, allow it to complete this, then click No if it asks you to run a full scan.

• Click on the > > > tab to open the menus

• Click on the Services tab

• Scroll down until you find the following Service (Note: This may be highlighted in red)
  
  a1qr7h9i.SYS
  
  
• Click on the Service Name to Highlight it, then right click and choose Delete...
  
  
• Click OK at the first confirmation dialog to remove the service
  
• Click OK to the second confirmation dialog to remove the file
  
• Click OK to exit the program

Let me know of any problems you encountered.

I searched carefully thru the "Name" fields and the Filename fields and could not find the file we need. I tried running GMER twice to be sure. I'm curious because the last program SystemLook... I ran a search for that file and it was not found.

We'll need to use DeFogger to disable CD emulation drivers...

To disable CD Emulation programs using DeFogger please perform these steps:

• Please download DeFogger to your desktop.
  
• Once downloaded, double-click on the DeFogger icon to start the tool.
  
• The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  
• When it prompts you whether or not you want to continue, please click on the Yes button to continue
  
• When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  
• If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Then, please re-run GMER and post a new log.