Possible bug/virus
 

When doing an internet search with Google I keep getting the following page

http://67.201.36.16/nolink.html.Sorry, this page no longer available

I then get up to 6 tabs opening..headed "page error opening"

This started about a week ago.

Avast/ad-aware/malwarebytes/ccleaner fail to find any bugs/problems.

I seem to recall reading that VM had introduced a "search option" that defaulted to a "guess" if it did not recognise an address..is this connected:confused: this is an "opt-out", but cannot find anything further on it..

Running the latest Firefox..I have removed/reinstalled this and I have deleted all my add-ons

Any advice please :)

Re: Possible bug/virus
 

If you're using a 32-bit operating system, try an anti-root kit.

Re: Possible bug/virus
 

Can you still browse to www.google.co.uk? Is it just the search that then falls over?

If you have any doubts about your PC, go to one of the free online antivirus scanners - preferably a site that is not operated by your chosen a/v software - such as Kaspersky, Norton, Panda, to name just a few. See what that comes up with.

Re: Possible bug/virus
 

Yep, I had one recently and could I find it...NOPE!!!

Serves me right for trying to do something dodgy online ;)

Still it gave me an excuse to upgrade to Win7

Re: Possible bug/virus
 

Thanks....Yes , can still browse to Google..then the fun starts....:(

Kaspersky not online at the mo.

Panda found nothing

Esets found 3...Win 32/adware virtumonde neo application

which it has removed....

Time will tell.....

Thanks...:)

Re: Possible bug/virus
 

Problem still on the Computer :mad::mad:

Anyone any ideas, please..

Re: Possible bug/virus
 

Try scanning with a-squared free and Malware bytes, maybe one of them might find something.

Re: Possible bug/virus
 

Try GMER if you suspect you have a Rootkit http://www.gmer.net/

If you wan`t you can also try Combofix, allthough it is usually best to do this with in conjuction with someone at bleepingcomputer, it can permanantly damage your system if incorrectly used.
http://www.bleepingcomputer.com/comb...o-use-combofix

Re: Possible bug/virus
 

Thanks...have tried both of these...no luck..:)

---------- Post added at 19:23 ---------- Previous post was at 18:12 ----------

I have run GMER and have a page of "something" under rootkit/malware..:confused:

Not sure what to do next...nothing is highlighted,,,no sign of a delete this button..

Any further advice please...:)

Re: Possible bug/virus
 

Had something similar or the same on a friends computer. Tried a number of different things to clear it. I then thought I hadn't tried SuperAntispyware. I'd been messing about for three hours. That cleared it. Sadly I can't remember what it said it was.

Re: Possible bug/virus
 

Do you have a second computer, or is there a friend who can assist? You might need to create a CD boot disc on a clean computer, together with an antivirus / antimalware scanners and then boot from the CD to scan the affected computer.

Re: Possible bug/virus
 

Can you post the log from GMER?
Can you download HiJack This and post the log file?

Do you have recover CD's for this system (& data/picture backups)? Might be a quicker/safer option!

Re: Possible bug/virus
 

I think/hope this is the logfile you mean....from hijack this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:16:12, on 04/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 3934 bytes

Re: Possible bug/virus
 

Nothing dangerous in there, but how about the GMER rootkit log?

Re: Possible bug/virus
 

Deleted :dunce:..clicked the wrong button..:o:..

Can download again if needed..

Can I do a "system restore"...go back about a week...??

Thanks for your help..:)

Re: Possible bug/virus
 

It would probably be best to download again.
Whilst a system restore might help, I would have though a rootkit capable of sticking itself in the restore directory as well.
Maybe run the GMER tool, save/post the log, do a restore and run GMER again?

Re: Possible bug/virus
 

Thanks...will do it later this evening, then post it here before trying a restore..

:):)

---------- Post added at 16:11 ---------- Previous post was at 14:58 ----------

I hope this is the correct log...I am a total newbie to this...:dunce:



GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-04 16:06:02
Windows 5.1.2600 Service Pack 2
Running: ew81ik0q.exe; Driver: C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\kgtoipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB1C8D6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB1C8D574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB1C8DA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB1C8D14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB1C8D64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB1C8D08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB1C8D0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB1C8D76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB1C8D72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB1C8D8AE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74B0380]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[592] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[592] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdePort0 [F74A39F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F74A39F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F74A39F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F74A39F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F74A39F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F74A39F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Re: Possible bug/virus
 

That's the nasty - going by other threads on Bleeping Computers.

Go with the restore point / rescan plan.
If that doesn't work, a repair install from CD may do the trick, but try the restore first.

Re: Possible bug/virus
 

Thanks again...Will restore about 1 week back

Re: Possible bug/virus
 

Btw, looking at the GMER page, right clicking on the offending item in the screen should offer the option to fix it.
Might be worth trying first.

Re: Possible bug/virus
 

How did you get on?

Re: Possible bug/virus
 

My suggestion. Download and install AnVir Task Manager. It also has free version. AnVir shows you all startup programs and Windows processes, so you’ll find harmful file within one minute. I always use it when I clean my PC. Sorry for the offtopic