BSOD on Vista, I think it's related to spyware/virus...

koolkarts · Joined: Apr 11, 2009 Posts: 11

Hey guys, Any help would be greatly appreciated. I'm in a really sticky situation at the moment...

Basically, I can't log into Vista (32bit) in normal mode without getting a BSOD

with error message:

*** STOP: 0X0000008E (0XC0000005, 0X8BDA092D, 0X9AEC2000, 0X00000000)

There's no file linked to the error message and that's it I get.
This started only a few days ago when I download a dodgy file (stupid yes I know) and then I suddenly got the blue screen. I've deleted the file, uninstalled the program (it was an artificial voice kinda like Microsoft Sam) and ran multiple virus scans and spyware scans, all to no avail. I'm currently running in safe mode with network support.

Another thing which i've noticed is that my internet browser (firefox) randomly redirects from the google search results page when I click on a link. I've taken a few print screens to show you what I mean:

http://i4.photobucket.com/albums/y102/koolkarts/Spyware1.jpg
http://i4.photobucket.com/albums/y102/koolkarts/spyware2.jpg

I havent managed to get a screenshot of it, but I also get a web page related to
"web media player". I'm pretty sure this is also spyware, but Im also pretty certain that I dont have it installed.

These redirections occur randomly when I'm browsing through google search results and clicking on them. It's really frustrating me, and it only happens through google. If I copy and paste the website address then the redirections don't occur.

I googled around quite a bit through the net searching my problem and apparently these BSOD errors can occur if you have bad RAM. I ran the windows memtest tool at startup and it said my memory was fine, and I also believe that the problem cant be with my memory but with the spyware/virus, as the BSOD only started happening after it.

I've tried everything, and I really cant afford to do a clean install of Vista, I wont be able to get an external hard drive for quite some time and I need my laptop back in working condition. I tried out the solutions in this thread:

http://help.lockergnome.com/general/Help-Firefox-redirected--ftopict56590.html

but to no avail. I've tried a startup repair with a vista recovery disk, and again to no avail. As soon as I log in into normal mode, my desktop and icons and taskbar appear, and then sudddenly i get the blue screen. Please help me!!

My hijackthis logfile says the following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:08:57, on 11/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mspaint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_2ba5baa4\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_2ba5baa4\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 4137 bytes

koolkarts · Joined: Apr 11, 2009 Posts: 11

UPDATE: I think the virus is located in my recovery hard drive Partition, D:\ .

When running an avast antivirus scan, the scan froze at 98% (with no viruses previously detected) at D:\Windows\System32\config

I went on to specifically scan the config folder on its own, and again teh scan froze, but this time it was more specific,

http://i4.photobucket.com/albums/y102/koolkarts/error.jpg

Any help guys?
Thanks

koolkarts · Joined: Apr 11, 2009 Posts: 11

it turns out that the antivirus isnt freezing on that file, it's freezing on teh file after it...

Which is called SOFTWARE . i cant open the file, not even in notepad, and it just freezes when i choose to scan it with Malwarebytes or Avast. I can't right click on it or choose properties, and it doesnt say what the file type is. If i place the mouse over it, all i get is "Type: File" . I remember ages ago when this whole problem first occurred, I ended up findign a win32 on my D partition drive. At the time I deleted it, and it hasnt come up since, but I have a feelign that all this is related.

greyknight17 · Joined: Feb 03, 2003 Posts: 5924 Location: Brooklyn, NY

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

koolkarts · Joined: Apr 11, 2009 Posts: 11

I've located the viruses!! I've got the trojan Bitfrost present, and a few other trackingcookies. I used this software called "exterminate it" on a trial, but becuase i dont have the full version I couldnt actually delete the files.

Any ideas what to do?

koolkarts · Joined: Apr 11, 2009 Posts: 11

The Bitfrost Trojan is located at

HKEY_Current _user\software\wget

koolkarts · Joined: Apr 11, 2009 Posts: 11

Ok, I took a risk and deleted that above key from regedit, but to no avail, I'm still getting the BSOD and redirections on Google.

I just can the combofix thing.

My log is:

ComboFix 09-04-04.01 - Kartik 2009-04-12 1:51:48.3 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1674 [GMT 1:00]
Running from: c:\users\Kartik\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 090410-0] *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-11 17:43 . 2009-04-11 17:45 <DIR> d-------- c:\program files\Exterminate It!
2009-04-11 13:32 . 2009-02-05 21:06 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2009-04-11 00:11 . 2009-04-11 00:11 <DIR> d-------- C:\minidump
2009-04-10 23:33 . 2009-04-10 23:33 <DIR> d-------- c:\program files\LSoft Technologies
2009-04-10 23:21 . 2009-04-10 23:21 0 --a------ c:\windows\nsreg.dat
2009-04-10 22:41 . 2009-04-10 22:41 <DIR> d-------- c:\users\All Users\Kaspersky Lab Setup Files
2009-04-10 22:41 . 2009-04-10 22:41 <DIR> d-------- c:\programdata\Kaspersky Lab Setup Files
2009-04-10 11:32 . 2009-04-10 11:32 <DIR> d-------- c:\users\Kartik\AppData\Roaming\Malwarebytes
2009-04-10 11:32 . 2009-04-10 11:32 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-04-10 11:32 . 2009-04-10 11:32 <DIR> d-------- c:\programdata\Malwarebytes
2009-04-10 11:32 . 2009-04-11 14:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-10 11:32 . 2009-04-06 15:32 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-04-10 11:32 . 2009-04-06 15:32 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-04-09 23:57 . 2009-04-09 23:57 <DIR> d-------- c:\users\Kartik\AppData\Roaming\Publish Providers
2009-04-09 23:57 . 2009-04-09 23:57 <DIR> d-------- c:\program files\VSTplugins
2009-04-09 23:56 . 2009-04-09 23:56 <DIR> d-------- c:\users\Kartik\AppData\Roaming\Sony
2009-04-09 23:56 . 2009-04-09 23:56 <DIR> d-------- c:\users\All Users\TEMP
2009-04-09 23:56 . 2009-04-09 23:56 <DIR> d-------- c:\programdata\TEMP
2009-04-09 21:59 . 2009-04-09 21:59 <DIR> d-------- c:\users\All Users\Sony
2009-04-09 21:59 . 2009-04-09 21:59 <DIR> d-------- c:\programdata\Sony
2009-04-09 21:59 . 2009-04-09 21:59 <DIR> d-------- c:\program files\Sony
2009-04-09 21:58 . 2009-04-09 21:58 <DIR> d-------- c:\program files\Sony Setup
2009-04-09 18:00 . 2009-04-09 18:01 <DIR> d-------- c:\program files\Instant CD & DVD Burner
2009-04-09 17:59 . 2009-04-09 17:59 <DIR> d-------- c:\windows\System32\temp
2009-04-09 17:53 . 2009-04-10 23:08 <DIR> d-------- c:\program files\Burn4Free Toolbar
2009-04-09 17:52 . 2009-04-09 17:52 691 --a------ c:\users\Kartik\AppData\Roaming\GetValue.vbs
2009-04-09 17:52 . 2009-04-09 17:52 35 --a------ c:\users\Kartik\AppData\Roaming\SetValue.bat
2009-04-09 17:40 . 2009-04-09 17:40 <DIR> d-------- C:\VundoFix Backups
2009-04-09 17:35 . 2009-04-09 17:35 <DIR> d-------- C:\Rustbfix
2009-04-09 15:35 . 2009-04-09 15:46 1,905 --a------ c:\windows\diagwrn.xml
2009-04-09 15:35 . 2009-04-09 15:46 1,905 --a------ c:\windows\diagerr.xml
2009-04-09 15:25 . 2009-04-09 15:25 <DIR> d-------- c:\program files\Trend Micro
2009-04-09 12:50 . 2009-04-09 12:50 <DIR> d-------- c:\program files\Alwil Software
2009-04-09 11:22 . 2009-04-09 11:22 8,224 --a------ c:\windows\System32\GDIPFONTCACHEV1.DAT
2009-04-09 10:57 . 2009-04-09 10:57 155 --a------ c:\windows\System32\SelfDel.bat
2009-04-09 00:07 . 2009-04-09 00:07 <DIR> d-------- c:\program files\thriXXX
2009-04-08 23:35 . 2009-04-09 10:43 <DIR> d-------- c:\windows\Lhsp
2009-04-03 22:34 . 2009-04-03 22:34 <DIR> d-------- c:\users\Kartik\learn_more_study_less
2009-04-01 20:08 . 2009-04-01 20:08 <DIR> d-------- c:\users\Kartik\Height_Gain_Exercises
2009-04-01 12:51 . 2009-04-01 12:51 <DIR> d-------- c:\users\Kartik\AppData\Roaming\ACAMPREF
2009-04-01 12:51 . 2009-04-01 12:51 <DIR> d-------- c:\program files\Melody Assistant
2009-03-30 17:56 . 2009-03-30 17:56 <DIR> d-------- c:\program files\CCleaner
2009-03-27 23:20 . 2009-03-27 23:20 <DIR> d-------- c:\windows\System32\nagasoft
2009-03-27 23:12 . 2009-03-27 23:12 <DIR> d-------- c:\program files\SopCast
2009-03-27 23:06 . 2009-03-27 23:06 <DIR> d-------- c:\users\Kartik\AppData\Roaming\TVU networks
2009-03-23 19:22 . 2009-03-23 19:23 <DIR> d-------- c:\program files\ApexDC++

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 17:19 --------- d-----w c:\programdata\Kontiki
2009-04-11 11:07 --------- d-----w c:\users\Kartik\AppData\Roaming\uTorrent
2009-04-10 23:02 --------- d-----w c:\programdata\McAfee
2009-04-10 23:02 --------- d-----w c:\program files\McAfee
2009-04-10 22:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-10 22:54 --------- d-----w c:\program files\Dell Webcam
2009-04-10 22:54 --------- d-----w c:\program files\Dell
2009-04-10 22:08 --------- d-----w c:\program files\Google
2009-04-09 00:40 --------- d-----w c:\program files\Nokia
2009-04-09 00:40 --------- d-----w c:\program files\Common Files\Nokia
2009-04-08 16:45 --------- d-----w c:\users\Kartik\AppData\Roaming\dvdcss
2009-04-06 00:39 --------- d-----w c:\users\Kartik\AppData\Roaming\LimeWire
2009-04-02 08:07 --------- d-----w c:\users\Kartik\AppData\Roaming\Vso
2009-04-01 11:51 1,409 ----a-w c:\windows\Fonts\SToccata.fot
2009-03-26 03:28 --------- d-----w c:\program files\Music Alarm Clock
2009-03-23 18:21 --------- d-----w c:\program files\DC++
2009-03-12 03:08 --------- d-----w c:\program files\Windows Mail
2009-03-12 03:02 --------- d-----w c:\programdata\Microsoft Help
2009-03-09 14:06 --------- d-----w c:\users\Kartik\AppData\Roaming\Media Player Classic
2009-03-09 03:38 --------- d-----w c:\program files\ffdshow
2009-03-09 02:58 --------- d-----w c:\users\Kartik\AppData\Roaming\vlc
2009-03-03 17:13 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-21 15:51 --------- d-----w c:\programdata\vsosdk
2009-02-19 20:56 --------- d-----w c:\program files\Windows Live
2009-02-19 20:56 --------- d-----w c:\program files\Microsoft Sync Framework
2009-02-19 20:54 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-02-09 03:10 2,033,152 ----a-w c:\windows\System32\win32k.sys
2009-02-06 19:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 ----a-w c:\windows\System32\sirenacm.dll
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-10 15:06 47,360 ----a-w c:\users\Kartik\AppData\Roaming\pcouffin.sys
2008-11-08 15:28 286 ----a-w c:\users\Kartik\AppData\Roaming\wklnhst.dat
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot.DeleteThis@2009-04-11_11.26.23.80 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-11 10:19:47 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-04-11 17:15:59 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-04-11 17:15:59 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-04-11 10:19:47 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-04-11 17:16:04 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-04-11 17:16:04 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
+ 2009-02-05 20:11:35 1,256,296 ----a-w c:\windows\System32\aswBoot.exe
+ 2009-02-05 20:04:45 97,480 ----a-w c:\windows\System32\AvastSS.scr
- 2009-04-11 10:21:36 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-12 00:45:45 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-11 10:21:36 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-12 00:45:45 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-11 10:21:36 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-04-12 00:45:45 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-05 20:07:12 20,560 ----a-w c:\windows\System32\drivers\aswFsBlk.sys
+ 2009-02-05 20:06:10 23,152 ----a-w c:\windows\System32\drivers\aswRdr.sys
+ 2009-02-05 20:07:23 114,768 ----a-w c:\windows\System32\drivers\aswSP.sys
+ 2009-02-05 20:06:20 51,376 ----a-w c:\windows\System32\drivers\aswTdi.sys
- 2009-04-11 10:09:40 105,502 ----a-w c:\windows\System32\perfc009.dat
+ 2009-04-12 00:50:08 105,502 ----a-w c:\windows\System32\perfc009.dat
- 2009-04-11 10:09:40 601,686 ----a-w c:\windows\System32\perfh009.dat
+ 2009-04-12 00:50:08 601,686 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-16 07:28:13 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-04-11 20:18:30 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-04-10 22:46:05 6,984 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1089532975-3156664436-4000420280-1000_UserData.bin
+ 2009-04-11 17:16:29 7,224 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1089532975-3156664436-4000420280-1000_UserData.bin
- 2009-04-10 22:46:04 78,030 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-04-11 17:16:28 78,110 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-08-29 442460]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-08-05 3563520]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"aswAhAScr.dll"="c:\progra~1\ALWILS~1\Avast4\ASWREG~1.EXE" [2003-09-16 22016]

c:\users\Kartik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-07-15 1226024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2008-06-30 11:28 196608 c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 13:51 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2008-02-29 05:18 17920 c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2008-02-27 18:56 1032376 c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 10:25 1828136 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 16:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2008-01-14 09:13 132392 c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 16:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
--a------ 2008-12-13 20:41 306088 c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-10-22 13:08 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EDBA0349-87A6-4954-AAEF-4E0629CC7D1E}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{D52686E5-0A3E-445B-A8D1-FE9F4B45A086}"= UDP:c:\program files\Dell Video Chat\DellVideoChat.exe:Dell Video Chat
"{B63DFA29-B635-431C-89A2-9AE35D3CD7CC}"= TCP:c:\program files\Dell Video Chat\DellVideoChat.exe:Dell Video Chat
"{AF795D33-2C45-4FE1-842F-A2741A50B927}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{97CD8F99-0462-4D10-8EFC-88A39D131655}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{FBBA5BB1-0C0D-4C0D-A95E-92F4A24243F0}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{07981FC3-470A-4882-A964-9955CF0322D2}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{305468AF-4224-48DB-8C0B-114CE4EEF15E}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{495297F2-3E9F-4B14-A6EF-C31C3F36B873}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{D2EE5AAB-67B4-4D18-B528-E84ED764B5CD}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C81AF96E-40D0-4449-AAEA-5290EEF02557}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{857A3D9D-735C-45D6-972F-BC98582CAB7E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CE465A9E-6BE2-45C5-8E83-0E58126F6999}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{2841CB00-568D-4E3B-ADCD-FB51139B309D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{101C828D-1158-4934-BC7C-E370D3E9B2F2}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BFCBE3EA-B67B-4789-96DD-ABF28ADF5E34}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2B8367EA-685B-4763-9F72-2BB9D4401E63}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3AEC08F4-54A3-4819-8068-75B1C4C84E85}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6090C2F1-A57E-4139-A41D-2A5D5769490C}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty(R) - World at War(TM)
"{EC62F8AC-EDE1-4107-82FD-BC87C994F9F6}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty(R) - World at War(TM)
"{45DD02F8-E96A-4697-876C-072B7DEBFA65}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty(R) - World at War(TM)
"{57EC1EBC-96D5-4E7F-8EF0-D466D143C2A0}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty(R) - World at War(TM)
"{B5BAD696-724C-4C88-8FAE-D5D507848364}"= UDP:c:\users\Kartik\Downloads\Pro.Evolution.Soccer.2009.Full-Rip.Skullptura\Pro.Evolution.Soccer.2009.Full-Rip.Skullptura\PES 2009\pes2009.exe:Pro Evolution Soccer 2009
"{74D2B2BE-9E49-478D-A7C7-F18E4A1B8B75}"= TCP:c:\users\Kartik\Downloads\Pro.Evolution.Soccer.2009.Full-Rip.Skullptura\Pro.Evolution.Soccer.2009.Full-Rip.Skullptura\PES 2009\pes2009.exe:Pro Evolution Soccer 2009
"{D8575097-A70F-4368-9C03-BB80F3959599}"= UDP:c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"{5D3CBC67-8520-41AE-8462-C05B3E869C6D}"= TCP:c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"{97F2C91A-98CE-4A84-8C74-5C69F4C28804}"= UDP:c:\program files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:Grand Theft Auto IV
"{938211ED-24B4-4BBB-B961-BD98551D189C}"= TCP:c:\program files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:Grand Theft Auto IV
"{B5109C5A-05E1-4009-964C-8ACAD14D48E4}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{33471CEB-D1BC-4DD6-99D0-A0C7012492DE}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{44414C71-E878-4F61-B1DC-C1D8C9DAF887}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{784A0711-5383-4340-8CBE-DF815D4E461F}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{6159F0FF-625B-4570-B63D-B9DFE7B72158}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{4370327E-AD99-449A-B8A6-D50CCACE6B92}"= UDP:c:\program files\ApexDC++\ApexDC.exe:ApexDC++ - Pinnacle of File Sharing
"{39B26BFF-6AAA-4484-8668-081F4938F825}"= TCP:c:\program files\ApexDC++\ApexDC.exe:ApexDC++ - Pinnacle of File Sharing
"TCP Query User{8547E4E5-1AEE-4A1A-BA88-6DC1EED2D97B}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F0908877-656A-4642-8161-4B0905119FEA}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent

R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\System32\drivers\hssdrv.sys [2009-03-06 31704]
R3 itecir;ITECIR Infrared Receiver;c:\windows\System32\drivers\itecir.sys [2008-10-22 54784]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [2008-10-22 203264]
S1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2009-04-11 114768]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_2ba5baa4\AEstSrv.exe [2008-10-22 73728]
S2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2009-04-11 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2009-04-11 51792]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-05-02 161048]
S2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe --> c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-10 179856]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [2009-02-19 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [2009-04-10 15504]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\System32\drivers\OA001Ufd.sys [2008-10-22 144672]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\System32\drivers\OA001Vid.sys [2008-09-18 277440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\Auto\command - infrom.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25139b70-ab64-11dd-bc9e-002170837326}]
\shell\AutoRun\command - F:\autorunner.exe "Manual.pdf"
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Kartik\AppData\Roaming\Mozilla\Firefox\Profiles\fwvwtz1l.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 01:53:54
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-04-12 1:55:13
ComboFix-quarantined-files.txt 2009-04-12 00:55:12
ComboFix2.txt 2009-04-11 10:46:06
ComboFix3.txt 2009-04-11 10:27:30

Pre-Run: 5,562,040,320 bytes free
Post-Run: 5,518,229,504 bytes free

264 --- E O F --- 2009-03-16 03:03:24

greyknight17 · Joined: Feb 03, 2003 Posts: 5924 Location: Brooklyn, NY

Does the Google redirect only affect Firefox or any browser you use?

Uninstall Kontiki via the Add/Remove Programs panel unless you installed it yourself.

Download the Flash Disinfector at http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Go to Start > Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" query.reg
cls

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it to run it. You will see a file called query.reg created in the same folder where you saved delete.bat. Right click on query.reg and choose Edit. Copy and paste everything from that file here. You may delete the delete.bat and query.reg file once this is done.

koolkarts · Joined: Apr 11, 2009 Posts: 11

The Google redirection affects both Firefox and Internet Explorer. It randomly occurs whenever I start to search for any antispyware or tech related issue.

Here is the log file from query.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.msadpcm"="msadp32.acm"
"midimapper"="midimap.dll"
"wavemapper"="msacm32.drv"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.i420"="iyuv_32.dll"
"VIDC.YVU9"="tsbyuv.dll"
"msacm.l3acm"="C:\\Windows\\System32\\l3codeca.acm"
"vidc.cvid"="iccvid.dll"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux"="wdmaud.drv"
"MSVideo8"="VfWWDM32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"msacm.siren"="sirenacm.dll"
"VIDC.FFDS"="ff_vfw.dll"

koolkarts · Joined: Apr 11, 2009 Posts: 11

Kontiki is there because of a software I have installed called BBC iPlayer. It's spyware free and unless it's been infected I don't think it could be the cause of the problem.

I tried uninstalling BB iPlayer but I can't because Windows Installer wont run in safe mode.

greyknight17 · Joined: Feb 03, 2003 Posts: 5924 Location: Brooklyn, NY

Kontiki wouldn't be causing this problem and I only bring it up as you may not have installed it. It's ok to keep Very Happy

See if this helps:
Download Hoster at http://www.greyknight17.com/spy/Hoster.exe and run it. Click on Restore Original Hosts button and press OK. If you used a custom HOSTS file, you will need to restore the file back.

If the problem still occurs, run the following scans:

Download and install SUPERAntiSpyware at http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

- Run SUPERAntiSpyware and click the Check for Updates button.
- Once the update has finished, click the Scan your Computer button.
- Click on Perform Complete Scan and then click Next.
- SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
- Make sure that they all have a check next to them, and then click Next.
- Click Finish and you will be taken back to the main interface.
- It could be possible that it will ask you to reboot your computer in order to delete some files.
- I'll need a log afterwards of what has been found.
- To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
- Please post the results of the SUPERAntiSpyware log file in your next reply.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

koolkarts · Joined: Apr 11, 2009 Posts: 11

Hey dude, thanks for all the help so far.

Unfortunately, because I'm in safe mode I can't use windows installer and install that superantispyware thingy,,,

I'll run the panda scan in a bit, but during a google search I came across this:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-h.../resolv

I'm having exactly the same redirections as the person on that forum. I didnt really understand what to do though, any chance you could guide me through?

(btw i'm still having the redirection problems after i've run the hoster file)

koolkarts · Joined: Apr 11, 2009 Posts: 11

also im attachign a minidump file of my system failing during bsod...

that may help>>

http://www.2shared.com/file/5345603/a09e19d4/MINIDUMP1.html

greyknight17 · Joined: Feb 03, 2003 Posts: 5924 Location: Brooklyn, NY

Something else may be corrupted. See if you can run the system file checker. Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD. Otherwise, it will auto-close after it's done.

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it. Then download a new copy (from the BleepingComputer site) and save it to your desktop. Run it again and post the log here.

koolkarts · Joined: Apr 11, 2009 Posts: 11

greyknight17 · Joined: Feb 03, 2003 Posts: 5924 Location: Brooklyn, NY

Give the following a try:

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad: