IE 'memory not read', new windows, and redirects

Well I was hoping to get away without posting, because it is:

a) clear that there are enough people with this problem here already, so I was hoping I could simply glean enough to help myself, and
b) after following the 'cleaning procedure' as best I could (RootRepeal wouldn't run), I thought I had finally removed the problem, and so ran several more scans to gain extra confidence, and tidied a few things up, only to then discover that the problem is still with me (i.e. I haven't followed the cleaning procedure exactly 'to the rules').

However, it is clear that some of the Combofix and MGtools stuff is fairly 'invasive', as I have lost sound on my PC (erk! - some codec or other deleted/quarantined I guess), and my mouse buttons won't work (but I know the cause of that), so here goes...

Trouble started at 20:37 on 05/04/2010 - I was using Google Image search, and on opening a search link, got the Microsoft 'crash report' window for a 'prun.exe', asking 'did I want to send the crash dump'? I can't remember my exact actions (I said 'no' to sending the dump), but I'm sure prun was no longer resident, but shortly thereafter four things started to happen:

1. I'm getting many
   pop-ups from Internet Explorer. (These almost always occur after a new window, as item 2), has appeared and been closed, but at other times too)
2. I get new IE windows taking me to weird and wonderful places (stopzilla, ad.yieldmanager, tigerrosedirect.com, ask.com etc.), sometimes with the exact same search text that I have entered into Google.
3. I'm fairly certain I have seen the 're-directs' where I haven't been taken to the URL the search results say I should be going.
4. NIS reports an attempted attack on my computer every time I change the search criteria on Google (but only from the search results page, not from the 'advanced search' page)

Once I established 'prun.exe' was not nice, I ran any number of NIS, Spybot S&D scans (which didn't turn up much), and also found and deleted several other files that had clearly appeared at the same time and which may have been connected (e.g. C:\windows\srun.log, and four unidentifiable files in C:\downloaded programs\ folder).

Once I found my way to this forum and its excellent instructions, I felt salvation was at hand. I'm attaching what I have, but as mentioned above, I couldn't get RootRepeal to run - it would hang on 'initializing' for maybe 10 or 15 minutes, and there was little or no indication from the disk that anything was happening. I tried both with and without the NIS AV software and firewall active, but as I am also getting frequent NIS alerts that it has repelled an attack on my computer, I'm not keen to let RootRepeal do its thing with NIS off and still be connected to the internet, so I don't know if that was a factor (and it may be that I have always been getting these attacks, i.e. it is nothing new, but I had just turned the alerts off, which may have been re-activated by cleaning out all the temporary cookies and stuff...).

Things I have 'fiddled with' after running everything:

1. I was using MSConfig to stop some programs running at start up, notably the probably-never-used HP updater, HPWuSchd2.exe - now I see the error of my ways in using MSConfig this way, I decided to put the zap on this in the registry, and so deleted its key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
2. I also discovered the remants of an old problem from several years ago, 'World Wide Web Toolbar', which was still showing in the 'add/remove programs' list (clicking to attempt removal yields an error as most of it is gone, but I believe there are just a few other traces of it around), so I deleted the 'uninstall' key for it in the registry.
3. (Not actually done yet) One of the registry keys removed by Combofix was for 'point32.exe' - this is a legit exe controlling my multi-button mouse, so I'd like it back! (I have been manually executing it at the moment, no great shakes, and I've managed to resist the temptation to manually re-insert the key in the registry).

As with anyone who posts here, any help will be most gratefully received!

Thanks,
Tim

Some basic info (which presumably is all in the files anyhow) - I'm running:

XP Home SP3; its a 32-bit system
IE version 8.0.6001.18702
NIS version 16.8.0.41

 

Hi Dr Moriarty,
Many thanks for your replies and help.

Not that I specifically recall the first time, but there was one this second time - it couldn't find a file c2<something>.txt in the 'temp' subfolder?

You're right they didn't, and I could kick myself for not realising that, as I spent a while browsing all the files that had been produced. You'll notice that it was even worse this time, only 3 instead of 4, but I have scooped up all the plain-text files with today's date, and zipped them up, so hopefully this is better than nothing (I'm hoping the large binary file isn't of any interest?).

I've attached that too, in case it isn't part of the MGTools round-up.

Other than that missing file in MGtools that I spotted, all seemed to run as planned - at least there is a log file for the SysProt prog this time! I also forgot to switch off NIS when I ran this stuff though - I thought do so, but got interrupted by my kitchen timer (cooking my tea...) - hopefully since you didn't explicitly mention it this won't have been a problem?

Random, unsolicited IE windows keep popping-up, often taking me to random sites, but sometimes to search sites, and with the exact-same search string I entered in Google. This seems to happen more frequently when I am actually using Google, but sometimes just all of a sudden out of the blue. Following such incidents, I nearly always get the 'IE couldn't read the memory at address xxx' pop-up. Firefox is pretty much the same - lots of unsolicited new windows. and sometimes I am also getting re-directs on the search results themselves, i.e. I am clearly not taken to the place I was expecting to go. (Firefox isn't giving the memory read errors though.)

Also, in a few instances I have had Window's 'Generic Host Process for Win32 Services' actually crash-out ('unexpected error, it is going to have to close'), resulting in the pop-up requesting a crash dump be sent (which in these instances I have sent!). One of the things this clearly controls is the sound: in my first post I mentioned I had lost this, but it seems only for Flash player and Real player (.wav files), and mp3 files - .mpg, .wmv, .avi all seem OK, and CDs and DVDs play alright, right up until the generic process crashes out, when I seem to have lost at least the sound on DVDs (but I'm sure this is a minor inconvenience to fix, when weighed against whatever is really screwing with my machine...).

Thanks again for your help,
Tim

 

Hi Dr. M,
Attached is the GMER log - it has spotted some 'suspicious modifications'.

I have also learned a few more things:

1. I found at least one other forum thread with people who had similar problems, reporting that none of Superantispyware, Malwarebytes, or Combofix found the culprit, but that 'Hitman Pro' or 'Eset Security Center' did
2. my copy of Lavasoft Ad-aware won't update - possibly being prevented from doing so?
3. re-directs seem to be going through www.directrdr.com

Whilst none of these may help directly, they are giving me hope that it is not the end of the world! The biggest inconvenience is the loss of sound: since DVDs etc play OK, it doesn't seem like anything connected with the sound card or software, but no Windows sounds (mouse clicks in IE, the start-up/close-down 'ta da' etc) play at all, which makes me think it is a setting in Windows itself which is wrong or has been messed with.

Thanks,
Tim

 

Hi Dr. M,

I'm going to reply in sequence, so that I don't lose anything - I saw your most recent message as I was preparing to send the Systemlook log, but it was late here and I didn't what to mess anything up due to tiredness. I'll be running the Combofix after this post, and then re-scanning with GMER, which took over 3 hours yesterday...

I note Systemlook found pciide.sys in two locations - if we need another bite at the cherry, then so be it I guess!

Thanks,
Tim

 

Hi Dr. M,
I can report that things are looking up!

Good question - I'll check the answer later! I was kinda hoping when I launched it and it asked to 'check for updates' and it seemed to do something for a while, that it would bring itself up-to-date, but alas it fell into a little heap.

Combofix did ask to update, so I had to fire-up a browser window to allow me access to my router to reconnect, but it seemed to cope without any problems. Also the MGTools zip-up seems to have worked properly this time.

Initial signs are very good: Combofix reported signs of 'rootkit activity', and on the re-boot, I actually got the Windows start-up signature sound, so something had clearly happened! Does the blighter that caused the problem (presumably embedded in pciide.sys) have a particular name, so I can go read about it?

Having run the rest (logs attached), I can report:

1. mp3 files and Adobe Flash player now audible again
2. no NIS alerts each time I change search string in Google window
3. and so far (touch wood), no re-directs or pop-ups!

I seem to have key-click sounds in more places than before, but I'm sure I can drill-down into some options and customize to my tastes. Lack of buttons on my optical mouse is still a minor annoyance - I can see the reg key deleted that turned this off, is there a simple 'script' way for me to cut-and-paste this to some command window to re-insert it, without having to edit by hand?

Many thanks for your efforts: I'm quite active on various forums myself, helping people with synthesizer/electronics questions, so I feel I have just been paid back a huge favour, with interest!

Thanks and regards,
Tim