bloopie

No problem, and thank you for letting me know! Best regards, and safe surfing! bloopie

Hi again, Yes, your system is infected with a partition rootkit called Pihar. Here are some links regarding information on the infection in case you'd like to know: http://blog.eset.com...8/tdl4-rebooted TDL4/MaxSS Partition Rootkit First, a warning: One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you'd still like to clean the machine, then follow the next steps. ========== Just to be on the safe side, I will need you to run ListParts again from a recovery environment so that I know for sure of the partition structure. Do you have that USB device handy? If so, do this next. If not, stop here and let me know: Download ListParts64 to a USB flash drive. Plug the USB drive into the infected machine. Boot your computer into Recovery Environment Restart the computer and press F8 repeatedly until the Advanced Options Menu appears. Select Repair your computer. Select Language and click Next Enter password (if necessary) and click OK, you should now see the screen below ... Select the Command Prompt option. A command window will open. Type notepad then hit Enter. Notepad will open. Click File > Open then select Computer. Note down the drive letter for your USB Drive. Close Notepad. [*]Back in the command window .... Type e:\listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive) ListParts will start to run. Press the Scan button. When finished scanning it will make a log Result.txt on the flash drive. [*]Close the command window. [*]Boot back into normal mode and post me the Result.txt log please. bloopie

Hi again, Yes, I do recall that and I'm sorry I didn't mention it. You are showing signs of a nasty rootkit and I wanted to take care of that first before tackling the activation issue. But you seem to have gotten that sorted out...good work! Now let's see if we can confirm the rootkit is on board. Do you have access to a removable USB device in case we need it? You can try and run aswMBR from my previous post, but it may also not run either. In addition to that do the following next for me: Download ListParts64 to your Desktop. Double click ListParts64.exe to launch the program. Press the Scan button. When finished scanning it will make a log Result.txt on your Desktop. Please post me the contents of the log in your next reply. bloopie

If you're still being redirected, then run these next: Step 1 Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!! Double-click on TDSSKiller.exe to run the tool for known TDSS variants. Vista/Windows 7 users right-click and select Run As Administrator. If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension. Click the Start Scan button. Do not use the computer during the scan If the scan completes with nothing found, click Close to exit. If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options. Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process. Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed. A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:). Copy and paste the contents of that file in your next reply. ========== Step 2 Please download aswMBR ( 4.5MB ) to your desktop. Double click the aswMBR.exe icon, and click Run. When asked if you'd like to "download the latest Avast! virus definitions", click Yes. Click the Scan button to start the scan. On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply. bloopie

Hi again, It's my pleasure! Are you still being redirected? What is the status of the machine now? bloopie

Hello xk49w, and My name is bloopie and I'll be helping you with your problems as best I can! A few things to keep in mind while we are working together: If you have since resolved the original problem you were having, I would appreciate it if you let me know. If you are unsure about any of the steps just post what you can and I will guide you! Please tell me if you have your original Windows CD/DVD available. Please copy and paste all logs here unless otherwise instructed! Upon completing the steps below I will review your topic an do my best to resolve your issues. Does your browser redirect with IE only, or other browsers as well? ========== Run Combofix You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this) Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here< Combofix may need to reboot your computer more than once to do its job...this is normal. You can download Combofix from the following link: Link 1 Close any open browsers or any other programs that are open. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply. Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer ========== Please include the following in your next reply: The Combofix log An answer to my questions above bloopie

Thank you very much! bloopie

Hello again, I have reported this to sUBs as well, and it's been removed from Combofix's deletions. Here is the log: Malwarebytes Anti-Malware (Trial) 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.26.11 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Carol :: CAROL-PC [administrator] Protection: Enabled 7/26/2012 12:50:10 PM mbam-log-2012-07-26 (13-00-47)--FP!!!.txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 64855 Time elapsed: 10 minute(s), 12 second(s) [aborted] Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 6 HKCR\CLSID\{45CE511B-A929-11D5-9221-0048545CF4D6} (Trojan.Genome) -> No action taken. [bae90e113d2089ad3f5788fdf908f20e] HKCR\TypeLib\{45CE510E-A929-11D5-9221-0048545CF4D6} (Trojan.Genome) -> No action taken. [bae90e113d2089ad3f5788fdf908f20e] HKCR\Interface\{45CE511A-A929-11D5-9221-0048545CF4D6} (Trojan.Genome) -> No action taken. [bae90e113d2089ad3f5788fdf908f20e] HKCR\VPONX.NpwmAdo.1 (Trojan.Genome) -> No action taken. [bae90e113d2089ad3f5788fdf908f20e] HKCR\VPONX.NpwmAdo (Trojan.Genome) -> No action taken. [bae90e113d2089ad3f5788fdf908f20e] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{45CE511B-A929-11D5-9221-0048545CF4D6} (Trojan.Genome) -> No action taken. [bae90e113d2089ad3f5788fdf908f20e] Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Program Files (x86)\DVR Controls\VPONAdo.dll (Trojan.Genome) -> No action taken. [bae90e113d2089ad3f5788fdf908f20e] (end) I'm also attaching the log as well as two zipped samples for you. Thank you for your time! bloopie mbam-log-2012-07-26 (13-00-47)--FP!!!.zip VPONAdo.zip NPPlayer.zip

Thank you very much!! bloopie

No problem, I'll attach them both for you! bloopie Atcwiz2k.zip atobjmgr2k.zip

Sorry, Here is the zipped attachment... Falsepositives (17-49-46).zip

Hi all, MBAM will detect parts of the invoicing software I use at work, and this program is legit. It's a part of Accusoft Enterprises. Here is the logfile: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.02.06 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 JOHNCAP :: JOHNC [administrator] 5/2/2012 4:10:05 PM Falsepositives (17-49-46) Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 257684 Time elapsed: 1 hour(s), 34 minute(s), 57 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 2 HKCR\TypeLib\{DE266256-4B5B-4B50-8349-8ADDFAAE4099} (Backdoor.IRCBot) -> No action taken. [d6488e3aeb710b2b00067416f010d12f] HKCR\Interface\{57A0C962-0945-41CA-AB55-8037410CD475} (Backdoor.IRCBot) -> No action taken. [d6488e3aeb710b2b00067416f010d12f] Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\Program Files\Atwin\Atcwiz2k.exe (Backdoor.IRCBot) -> No action taken. [1707fdcba7b55ed860a6bad0d52b0000] C:\Program Files\Atwin\atobjmgr2k.exe (Backdoor.IRCBot) -> No action taken. [d6488e3aeb710b2b00067416f010d12f] (end) Thanks for looking at this! bloopie Falsepositives (17-49-46).txt