Anti-Maleware tools don't start and browser redirects to 100ksearch.com

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by aldogame, Jul 21, 2011.

  1. aldogame

    aldogame Private E-2

    Hi everyone, I think this is the right place to post my problem.
    Somehow I got a virus that:
    blocks all my maleware removal tools (such as Malewarebytes, Combofix, Hjackthis and so on...): when running them, appears a message that tells me that I don't have the permissions to run them and could not find specified path..etc...).
    Also, when googling for something and clicking on one link, my browser redirects to some 100ksearch.com site... I can only copy the link and paste it in a new window to make it work.
    I also noticed that my internet icon (down right in toolbar) keeps flashing, though my internet connections seems to work fine.
    I've got Windows XP SP3.
    Any suggestion or fix would be very appreciate! Thank you in advance!
     
    aldogame, Jul 21, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Welcome to Major Geeks!

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click and choose Run as Administrator

    You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    1. Rkill.exe
    2. Rkill.com
    3. Rkill.scr
    4. Rkill.pif
    Once you've gotten one of them to run then try to immediately run the following.


    Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

    AVPFind.bat

    It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running. (See: HOW TO: Attach Items To Your Post )


    Now download and Run exeHelper
    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named log.txt will be created in the directory where you ran exeHelper.com
    • Attach the log.txt file to your next message.
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    Also please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.


    Then try running these instructions: Using MGtools


    Attach the below logs when finished with all of the above:
    • C:\avplog.txt - from AVPfind
    • a log from online SAS scan if you could make one
    • log.txt - from exeHelper
    • C:\MGlogs.zip - from MGtools
    The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.
     
    Kestrel13!, Jul 21, 2011
    #2
  3. aldogame

    aldogame Private E-2

    Hi and thanks for your quick reply and suggestions.
    I've done all things, but my system won't run the ExeHelper file (it even does not save to desktop, somehow it's blocked).
    Here I attach the two logs from RTKill and AVPFind.
    Thanks again, hope you might help me!
     

    Attached Files:

    aldogame, Jul 21, 2011
    #3
  4. aldogame

    aldogame Private E-2

    Please not that I was running SAS and (as happened with other registry scanners) it was shutted down while scanning the registry...
     
    aldogame, Jul 21, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What about MGTools??
     
    Kestrel13!, Jul 21, 2011
    #5
  6. aldogame

    aldogame Private E-2

    Tried running MGTools all today, but appears a black windows saying that's scanning the system and after a few seconds it disappears and nothing happens.
    I think this virus (or whatelse) is killing all processes that scan the registry.
    It has killed even RegSeeker running from an external drive.
    I even tried to run ComboFix in safe mode, but the virus is still there.
    ComboFix says I've even got a RootKit in internet connection that's called ZeroAccess. But internet works fine.
    One question: formatting all drive C would be the last solution, but do you think it should work (erasing all viruses)?
     
    aldogame, Jul 22, 2011
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Si did it not therefore produce a log @ C:\Combofix.txt :confused If so please attach it.

    Try this for MGTools

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    • analyse <-- this attempts to run HijackThis. Be sure to click the Accept button twice in the license agreement popup or it will just sit there and wait.
    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.
     
    Kestrel13!, Jul 22, 2011
    #7
  8. aldogame

    aldogame Private E-2

    Thanks again for your help, I'm really happy with this, though I'd like to solve this big mess!
    Now: I succeeded in running a full scan with MGtools, just putting the program in C: folder (not in desktop). I ran it and it did a full scan.
    Here you find the .zip log attached. I also attach the ComboFix log.
    Please let me know what to do now!
     

    Attached Files:

    aldogame, Jul 23, 2011
    #8
  9. aldogame

    aldogame Private E-2

    Please, any help?
     
    aldogame, Jul 24, 2011
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yep, help is here. :) You shouldn't "bump" though, like you did. I had a job to do and it gets busy at weekends. No point in me checking your logs with over tired eyes. Reviewing those logs now that I am more refreshed.
     
    Kestrel13!, Jul 24, 2011
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.

    Uninstall the below outdated java.

    Java(TM) 6 Update 15

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

NetSvc::
wcguwiotx

Driver::
wcguwiotx
5678d85f

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{cf739809-1c6c-47c0-85b9-569dbb141420}]

File::
C:\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\WINDOWS\temp\SCP2.tmp
C:\WINDOWS\temp\SCP3C.tmp
C:\WINDOWS\temp\SCP8.tmp
C:\WINDOWS\temp\SCPC7.tmp
C:\WINDOWS\temp\SCPFD.tmp
c:\windows\system32\drivers\5678d85f.sys

RegLock::
[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin2.wsz]
@DACL=(02 0000)
@SACL=
"Prefs"="mute;False;TrackTimeFormat;0"

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\MediaPlayer\Preferences\EqualizerSettings]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\MediaPlayer\Preferences\Library]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\MediaPlayer\Preferences\Library\mlDisplayArtist]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\MediaPlayer\Preferences\ProxySettings]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithProgids]
@DACL=(02 0000)
@SACL=
"ASXFile"=hex(0):
"VLC.asx"=hex(0):

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cab\OpenWithProgids]
@DACL=(02 0000)
@SACL=
"WinRAR"=hex(0):
"CLSID\\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=hex(0):

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\OpenWithProgids]
@DACL=(02 0000)
@SACL=
"m3ufile"=hex(0):
"VLC.m3u"=hex(0):

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithProgids]
@DACL=(02 0000)
@SACL=
"mpegfile"=hex(0):
"VLC.mp2"=hex(0):

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C8F023BD-CDB0-1985-FB98-C11BE7CF8E4D}*]
"maanefapejlohlgicphamkjnhn"=hex:6f,61,66,64,61,62,67,6b,66,6a,6d,6a,65,6c,6e,
   63,6e,6d,70,6e,6a,67,65,69,62,6c,6c,6c,66,6f,00,6d
"abfnbfhmpojdoocggamkomkjebcicchdln"=hex:70,61,64,6e,68,66,69,6e,63,63,64,62,
   6d,68,6c,70,68,6b,6a,63,6e,63,68,66,70,62,61,6d,65,63,66,6d,00,40

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\securom\license information*]
"datasecu"=hex:cb,c1,7a,f4,14,da,2c,bc,5e,05,42,26,77,49,41,59,d1,7c,3a,db,d6,
   19,99,02,cb,1c,cd,e2,ab,e2,35,db,cf,b9,2f,d3,bc,a9,4f,e7,a4,44,9e,dc,bc,8e,\
"rkeysecu"=hex:f6,10,7c,3d,5d,83,73,af,43,5d,82,e5,b8,fe,e0,4c

[HKEY_USERS\S-1-5-21-1060284298-1547161642-682003330-6578\Software\Symantec\Norton Ghost]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Classes\AcroAccess.AcroAccess\CLSID]
@DACL=(02 0000)
@SACL=
@="{C523F39F-9C83-11D3-9094-00104BD0D535}"

[HKEY_LOCAL_MACHINE\software\Classes\AcroAccess.AcroAccess\CurVer]
@DACL=(02 0000)
@SACL=
@="AcroAccess.AcroAccess.1"

[HKEY_LOCAL_MACHINE\software\Classes\AcroAccess.AcroAccess.1\CLSID]
@DACL=(02 0000)
@SACL=
@="{C523F39F-9C83-11D3-9094-00104BD0D535}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4750DFCB-41D6-4a71-B36B-DDB9550252D1}\Aspen]
@Denied: (A D 2 3 4 5 6) (Everyone)
"Name"="H3G"
"Company"="H3G"
"ID"="EASBJ"
@=hex:40,b2,2d,fb,12,5a,b7,e0,52,18,76,af,0d,72,e6,ed,75,70,a1,ee,78,eb,ca,b5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4750DFCB-41D6-4a71-B36B-DDB9550252D1}\Banara]
@Denied: (A D 2 3 4 5 6) (Everyone)
@=hex:70,6d,79,37,72,6a,65,61,64,6e,69,64,6a,33,61,75,69,61,76,73,37,76,7a,65,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid32]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\TypeLib]
@DACL=(02 0000)
@SACL=
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid32]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\TypeLib]
@DACL=(02 0000)
@SACL=
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\2.0]
@DACL=(02 0000)
@SACL=
@="Acrobat Access 2.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Google\NavClient]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Hewlett-Packard Company\Combined Modem Driver Installer]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\smax4.exe]
@DACL=(02 0000)
@SACL=
@="c:\\Program Files\\Analog Devices\\SoundMAX\\smax4.exe"
"Path"="c:\\Program Files\\Analog Devices\\Core"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\smax4pnp.exe]
@DACL=(02 0000)
@SACL=
@="c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"Path"="c:\\Program Files\\Analog Devices\\Core"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\SMaxCore]
@DACL=(02 0000)
@SACL=
@="c:\\Program Files\\Analog Devices\\Core"
"Path"="c:\\Program Files\\Analog Devices\\Core"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\smwdmif.dll]
@DACL=(02 0000)
@SACL=
@="c:\\Program Files\\Analog Devices\\Core\\smwdmif.dll"
"Path"="c:\\Program Files\\Analog Devices\\Core"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\SoundMAX]
@DACL=(02 0000)
@SACL=
"Path"="c:\\Program Files\\Analog Devices\\SoundMAX"
@="c:\\Program Files\\Analog Devices\\SoundMAX"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\WinDVD.exe]
@DACL=(02 0000)
"Path"="c:\\Program Files\\InterVideo\\WinDVD"
@="c:\\Program Files\\InterVideo\\WinDVD\\WinDVD.exe"

[HKEY_LOCAL_MACHINE\software\PepiMK Software\SpybotSnD]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings\ATI WDM Configurations]
@DACL=(02 0000)
@SACL=
"PnP ID Version"="34"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings\MMLIB]
@DACL=(02 0000)
@SACL=
"ForceOneField"=dword:00000000

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001\Settings\ATI WDM Configurations]
@DACL=(02 0000)
@SACL=
"PnP ID Version"="34"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001\Settings\MMLIB]
@DACL=(02 0000)
@SACL=
"ForceOneField"=dword:00000000

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Answer]
@DACL=(02 0000)
@SACL=
"1"="ATA<cr>"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Fax]
@DACL=(02 0000)
@SACL=
"HardwareFlowControl"="1"
"SetupCommand"="ATS7=60&K3"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Hangup]
@DACL=(02 0000)
@SACL=
"1"="ATH E1<cr>"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Init]
@DACL=(02 0000)
@SACL=
"1"="AT<cr>"
"2"="AT &F E0 &C1 &D2 V1 S0=0\\V1 +PQC=3<cr>"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Monitor]
@DACL=(02 0000)
@SACL=
"1"="ATS0=0<cr>"
"2"="None"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Settings]
@DACL=(02 0000)
@SACL=
"Prefix"="AT"
"Terminator"="<cr>"
"DialPrefix"="D"
"DialSuffix"=";"
"CallSetupFailTimer"="S7=<#>"
"SpeakerVolume_Low"="L0"
"SpeakerVolume_Med"="L2"
"SpeakerVolume_High"="L3"
"SpeakerMode_Off"="M0"
"SpeakerMode_Dial"="M1"
"SpeakerMode_On"="M2"
"SpeakerMode_Setup"="M3"
"FlowControl_Off"="&K0"
"FlowControl_Hard"="&K3"
"FlowControl_Soft"="&K4"
"ErrorControl_On"="\\N3"
"ErrorControl_Off"="\\N1"
"ErrorControl_Forced"="\\N4"
"Compression_Off"="%C0"
"Compression_On"="%C1"
"Modulation_CCITT"="B0B15B2"
"Modulation_Bell"="B1B16B2"
"SpeedNegotiation_Off"="N0\\J1"
"SpeedNegotiation_On"="N1\\J1"
"Pulse"="P"
"Tone"="T"
"Blind_Off"="X4"
"Blind_On"="X3"
"InactivityTimeOut"="S30=<#>"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Answer]
@DACL=(02 0000)
@SACL=
"1"="ATA<cr>"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\ATPUD]
@DACL=(02 0000)
@SACL=
"ATPUD"=hex:02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
   00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Blst]
@DACL=(02 0000)
@SACL=
"FLAG"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\CSD]
@DACL=(02 0000)
@SACL=
"EnableKmixer"=hex:01,00,00,00
"KMixerDataInitialDelay"=hex:0d,00,00,00
"KMixerSpkpInitialDelay"=hex:0c,00,00,00
"MaxSampleValue"=hex:e8,03,00,00
"UnMuteTimerDuration"=hex:d0,07,00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\DspInfo]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Fax]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Hangup]
@DACL=(02 0000)
@SACL=
"1"="ATH<cr>"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Init]
@DACL=(02 0000)
@SACL=
"1"="AT<cr>"
"2"="AT&FE0V1S0=0&C1&D2+MR=2;+DR=1;+ER=1;W2<cr>"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Monitor]
@DACL=(02 0000)
@SACL=
"1"="ATS0=0<cr>"
"2"="None"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\OEM]
@DACL=(02 0000)
@SACL=
"SREGS"=hex:00,00,2b,0d,0a,08,04,32,02,06,0e,5f,32,ff,8a,00,00,00,00,00,00,34,
   77,37,00,05,01,49,00,00,00,06,11,13,ff,ff,07,00,14,03,00,05
"AT+MS"=hex:5c,00,00,00,01,00,00,00,4b,00,00,00,80,bb,00,00,4b,00,00,00,c0,da,
   00,00
"TONEPARAMS"=hex:4c,04,14,00,0a,00,00,00,cc,ff,cc,ff,04,00,00,00,2c,01,00,00,
   2c,01,00,00,34,08,28,00,0a,00,00,00,cc,ff,cc,ff,0e,00,00,00,32,00,00,00,32,\
"CONSTTONEPARAMS"=hex:b1,08,3c,00,0a,00,00,00,cc,ff,cc,ff,02,00,00,00,32,00,00,
   00,32,00,00,00,34,08,32,00,32,00,00,00,cc,ff,cc,ff,03,00,00,00,64,00,00,00,\
"V25TER"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
   00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,c1,00,00,00,01,00,00,00,22,\
"FLAGS"=hex:02,07,00,08,08,00,00,00
"SPKR_MUTE_DELAY"=hex:2c,01
"OFF_HOOK_CONVERGENCE_DURATION"=hex:c8,00
"AT_MISC_DEF"=hex:02,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00
"VOLUME_AMPLIFICATION_PARMS"=hex:00,00,00,00,fa,ff,ff,ff,18,00,00,00
"CADENCE"=hex:01,2c,01,00,00,ee,02,00,00,d0,07,00,00,80,0c,00,00,00,00,00,00,
   00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,2c,01,00,00
"PROPERTIES"=hex:ff,ff,ff,ff
"MOD_THRESHOLD"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
   00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"CSA_FLAGS"=hex:00,00,00,00
"DAAType"=hex:01
"SmartDAAParams"=hex:90,1a,00,00,39,03,00,00,18,00,00,00,32,02,00,00,4a,01,00,
   00,96,00,00,00,4a,01,00,00,d0,07,00,00,03,0c,03,03,0a,0a,14,1d,1e,0a,0e,13,\
"SmartDAAParamsK3"=hex:90,1a,00,00,39,03,00,00,18,00,00,00,32,02,00,00,4a,01,
   00,00,96,00,00,00,4a,01,00,00,d0,07,00,00,03,0c,03,03,0a,0a,14,1d,1e,0a,0e,\
"SmartDAAParamsHal"=hex:90,1a,00,00,39,03,00,00,18,00,00,00,32,02,00,00,4a,01,
   00,00,96,00,00,00,4a,01,00,00,d0,07,00,00,03,0c,03,03,06,08,12,16,1e,06,0c,\
"DTMF_COMP_LEVEL"=hex:17,00,00,00,15,00,00,00,14,00,00,00,12,00,00,00,0b,00,00,
   00,08,00,00,00,04,00,00,00,00,00,00,00
"HwData"=hex:00,10,00,30,00,80,11,00
"DLG_PARAMS"=hex:01,00,00,00,00
"HANDSET_PARAMS"=hex:00,00,ff,ff,ff
"WOR"=hex:00,00,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
   ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff
"DC_CALC_PARAMS"=hex:2c,01,00,00,00,04,00,00,00,00,00,00
"CPU_FREQ_CHANGE"=hex:00,00,00,00,00,00,00,00
"CPU_FREQ_CHANGE_REVB"=hex:00,00,00,00,00,00,00,00
"FAX_PRE_LOAD_DELAY"=hex:08,00,00,00
"CONTROLLER_THREAD_TIMER_RESOLUTION_EC_CONNECTED"=hex:0a
"SOFT_RING_PARAMS"=hex:00,00,b9,0b,b8,0b,00,00,49,71,48,71,01,00,d8,59,a0,0f,
   00,00,30,75,b8,0b
"JCID_RING"=hex:32,00,00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Profile]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Region]
@DACL=(02 0000)
@SACL=
"Current"=hex:59,00
"Previous"=hex:59,00
"COPY_CTY"=hex:00,00,00,00
"RegionList"=hex:ff,fe,7f,fe,ff,ff,ff,7f,fb,fb,ff,df,ff,ff,ff,ff,ff,ff,dd,ff,
   ff,ff,ff,ff,be,ff,ff,ff,ff,fd,bf,5f

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\SdkCapable]
@DACL=(02 0000)
@SACL=
"Type"=hex:00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\Settings]
@DACL=(02 0000)
@SACL=
"Prefix"="AT"
"Terminator"="<cr>"
"DialPrefix"="D"
"DialSuffix"=";"
"SpeakerVolume_Low"="L1"
"SpeakerVolume_Med"="L2"
"SpeakerVolume_High"="L3"
"SpeakerMode_Off"="M0"
"SpeakerMode_Dial"="M1"
"SpeakerMode_On"="M2"
"SpeakerMode_Setup"="M3"
"FlowControl_Off"="+IFC=0,0;"
"FlowControl_Hard"="+IFC=2,2;"
"FlowControl_Soft"="+IFC=1,1;"
"Pulse"="P"
"Tone"="T"
"Blind_Off"="X4"
"Blind_On"="X3"
"CallSetupFailTimer"="S7=<#>"
"ErrorControl_On"="+ES=3,0,2;"
"ErrorControl_Off"="+ES=1,0,1;"
"ErrorControl_Forced"="+ES=3,2,4;"
"Compression_On"="+DS=3;+DS44=3;"
"Compression_Off"="+DS=0;+DS44=0;"
"InactivityTimeout"="S30=<#>"

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\V92]
@DACL=(02 0000)
@SACL=
"QC_CONF"=hex:01,01,01,01

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{D9515ED2-19F7-418E-8890-ABBC23D3C05E}\0000\ATI WDM Configurations]
@DACL=(02 0000)
@SACL=
"PnP ID Version"="34"
"EnableVirtualTables"=hex:00,00,00,00
"Hardware Detection"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{D9515ED2-19F7-418E-8890-ABBC23D3C05E}\0000\ATI WDM Configurations\Frequency Table]
@DACL=(02 0000)
"Virtual Reference Clock"=hex:32,2e,00,00
"Reference Clock"=hex:98,3a,00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{D9515ED2-19F7-418E-8890-ABBC23D3C05E}\0000\ATI WDM Configurations\Hardware Info]
@DACL=(02 0000)
"Virtual Hardware Table Revision"=hex:02,00,00,00
"Virtual Hardware Table Data"=hex:02,35,01,02
"Hardware Table Length"=hex:04,00,00,00
"Hardware Table Revision"=hex:02,00,00,00
"Hardware Table Data"=hex:0f,35,00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{D9515ED2-19F7-418E-8890-ABBC23D3C05E}\0000\ATI WDM Configurations\Multimedia Table]
@DACL=(02 0000)
"Virtual Multimedia Table Revision"=hex:01,00,00,00
"Virtual Multimedia Table Data"=hex:11,19,06,80,33,66,02,05,06,00,00,07
"Multimedia Table Length"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{D9515ED2-19F7-418E-8890-ABBC23D3C05E}\0000\MMLIB]
@DACL=(02 0000)
@SACL=
"ForceOneField"=dword:00000000

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{FEDB5581-15A8-4DD9-906E-26900D48C54E}\0000\ATI WDM Configurations]
@DACL=(02 0000)
@SACL=
"PnP ID Version"="34"
"EnableVirtualTables"=hex:00,00,00,00
"Decoder Type"=hex:00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{FEDB5581-15A8-4DD9-906E-26900D48C54E}\0000\ATI WDM Configurations\Frequency Table]
@DACL=(02 0000)
"Virtual Reference Clock"=hex:32,2e,00,00
"Reference Clock"=hex:98,3a,00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{FEDB5581-15A8-4DD9-906E-26900D48C54E}\0000\ATI WDM Configurations\Hardware Info]
@DACL=(02 0000)
"Virtual Hardware Table Revision"=hex:02,00,00,00
"Virtual Hardware Table Data"=hex:02,35,01,02
"Hardware Table Length"=hex:04,00,00,00
"Hardware Table Revision"=hex:01,00,00,00
"Hardware Table Data"=hex:0f,35,01,02

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{FEDB5581-15A8-4DD9-906E-26900D48C54E}\0000\ATI WDM Configurations\Multimedia Table]
@DACL=(02 0000)
"Virtual Multimedia Table Revision"=hex:01,00,00,00
"Virtual Multimedia Table Data"=hex:11,19,06,80,33,66,02,05,06,00,00,07
"Multimedia Table Length"=hex:0c,00,00,00
"Multimedia Table Data"=hex:00,00,00,00,00,00,00,00,00,00,00,00
"Dual Tuner"=hex:00,00,00,00
"Multimedia Table Revision"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\System\controlset004\Control\Video\{FEDB5581-15A8-4DD9-906E-26900D48C54E}\0000\MMLIB]
@DACL=(02 0000)
@SACL=
"ForceOneField"=dword:00000000
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
rasl2tp.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Run TDSSKiller again and attach the new log.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

    Are you still having redirects?
     
    Kestrel13!, Jul 24, 2011
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds