Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

PLEASE HELP" malware,spyware,adware,etc

Recommended Posts

I'm an old fart that could use a little help from a very good bunch of people.My computer has something that keeps redirecting my webpages to merchants and never to the right web address I click on. I'm sick of them trying to force you to buy their products. They are really ruining the internet its going to be just like tv all advertisement It is not fun It's very much a pain in the btt.You work harder getting this spyware,adware malware and many other viruses and hijacking ugh! PLEASE HELP!!!!!

I'm going to try this log file attachment thing hope it works. THANK YOU MUCH Bruno



DDS (Ver_11-03-05.01) - NTFSx86

Run by SAVVYD at 14:47:11.32 on Sun 04/03/2011

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1216 [GMT -4:00]


AV: ESET Smart Security 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

SP: ESET Smart Security 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: IObit Security 360 *Disabled/Updated* {FAE2835A-B90A-9E7A-85DA-82DBDA7C1E3A}

FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS


C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService



C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe


C:\Program Files\IObit\IObit Security 360\IS360srv.exe





C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\IObit\Game Booster\gbtray.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe


C:\Program Files\real\realplayer\Update\realsched.exe


C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\Program Files\IObit\IObit Security 360\is360tray.exe

C:\Program Files\Windows Sidebar\sidebar.exe


C:\Program Files\Eraser\eraser.exe

C:\Windows\system32\svchost.exe -k imgsvc


C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe


C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe



C:\Windows\System32\svchost.exe -k swprv






============== Pseudo HJT Report ===============


uStart Page = hxxp://www.yahoo.com/

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Video Download Toolbar Intercept: {b29002a0-87a1-4dc4-ac55-5982034eb61e} - c:\progra~1\videod~1\VIDEOD~1.DLL

BHO: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files\somototoolbar\vmntemplateX.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files\somototoolbar\vmntemplateX.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [cdloader] "c:\users\savvyd\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK

uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe

uRun: [Eraser] c:\program files\eraser\eraser.exe -hide

mRun: [iolo Startup] "c:\program files\iolo\common\lib\ioloLManager.exe"

mRun: [OneTouch Monitor] c:\progra~1\vision~2\ONETOU~2.EXE

mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun

mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice

mRun: [TNOD UP] "c:\program files\tnod user & password finder\TNODUP.exe" /i

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: c:\windows\system32\iavlsp.dll

DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll


============= SERVICES / DRIVERS ===============


R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-3 16184]

R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2010-7-13 20392]

R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-1-1 21048]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]

R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]

R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]

R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-12-21 41336]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-3-27 724152]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-3-27 724152]

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-4-3 312152]

R2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe -service --> c:\windows\system32\lxdqcoms.exe -service [?]

R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2010-4-26 23200]

R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2009-12-2 5120]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-10-27 6573568]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-10-27 229888]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-11 135664]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2009-7-13 35840]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-27 1343400]


=============== File Associations ===============



scrfile=NOTEPAD.EXE %1




=============== Created Last 30 ================


2011-04-03 16:47:20 -------- d-----w- c:\program files\common files\Spigot

2011-04-03 16:42:36 -------- d-----w- c:\program files\Ventrilo

2011-04-03 16:41:48 -------- d-----w- c:\program files\common files\Wise Installation Wizard

2011-04-03 16:33:20 -------- d-----w- c:\progra~2\IObit

2011-04-03 16:32:13 29008 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2011-04-03 16:32:13 16184 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2011-04-03 16:30:46 -------- d-----w- c:\users\savvyd\appdata\roaming\IObit

2011-04-03 16:30:46 -------- d-----w- c:\program files\IObit

2011-04-01 02:02:26 -------- d-----w- c:\program files\Eraser

2011-03-31 21:46:21 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{dc4f5676-c5cb-48ec-98d9-88a84bca79f4}\mpengine.dll

2011-03-31 21:27:32 -------- d-----w- c:\program files\TNod User & Password Finder

2011-03-31 21:24:26 -------- d-----w- c:\users\savvyd\appdata\roaming\ESET

2011-03-31 21:24:26 -------- d-----w- c:\users\savvyd\appdata\local\ESET

2011-03-31 21:23:37 -------- d-----w- c:\program files\ESET

2011-03-31 20:26:44 -------- d-----w- c:\users\savvyd\appdata\roaming\Malwarebytes

2011-03-31 20:26:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-31 20:26:34 -------- d-----w- c:\progra~2\Malwarebytes

2011-03-31 20:26:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-31 20:26:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-31 20:25:27 -------- d-----w- c:\program files\Trend Micro

2011-03-27 18:43:04 56200 ----a-w- c:\windows\system32\offreg.dll

2011-03-27 02:48:13 0 ----a-w- c:\users\savvyd\appdata\local\Wqokuvayadep.bin

2011-03-27 02:48:11 -------- d-----w- c:\users\savvyd\appdata\local\{2B0A4B20-6B8F-4170-8D87-6DFDC07A5E6D}

2011-03-09 13:56:45 -------- d-----w- c:\program files\Voice Finger

2011-03-08 20:36:35 802304 ----a-w- c:\windows\system32\FntCache.dll

2011-03-08 20:36:35 739840 ----a-w- c:\windows\system32\d2d1.dll

2011-03-08 20:36:35 1074176 ----a-w- c:\windows\system32\DWrite.dll

2011-03-08 20:36:28 850432 ----a-w- c:\windows\system32\sbe.dll

2011-03-08 20:36:28 642048 ----a-w- c:\windows\system32\CPFilters.dll

2011-03-08 20:36:28 534528 ----a-w- c:\windows\system32\EncDec.dll

2011-03-08 20:36:28 199680 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-08 20:36:27 2690560 ----a-w- c:\windows\system32\mstscax.dll

2011-03-08 20:36:27 1034240 ----a-w- c:\windows\system32\mstsc.exe


==================== Find3M ====================


2011-03-15 19:24:20 87688 ----a-w- c:\windows\system32\IncContxMenu.dll

2011-03-15 19:23:32 11776 ----a-w- c:\windows\system32\smrgdf.exe

2011-03-15 19:23:26 29696 ----a-w- c:\windows\system32\iolobtdfg.exe

2011-03-15 19:21:16 2234552 ----a-w- c:\windows\system32\Incinerator.dll

2011-02-05 20:56:08 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-02-05 20:56:08 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-07 07:31:10 442880 ----a-w- c:\windows\system32\XpsPrint.dll

2011-01-07 07:31:10 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll

2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll

2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys


=================== ROOTKIT ====================


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600 Disk: WDC_WD5000AAKS-00V1A0 rev.05.01D05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0


device: opened successfully

user: MBR read successfully


Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86116439]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8611c7d0]; MOV EAX, [0x8611c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x82C7D448] -> \Device\Harddisk0\DR0[0x860EF030]

3 CLASSPNP[0x88E0459E] -> ntkrnlpa!IofCallDriver[0x82C7D448] -> [0x859C9918]

5 ACPI[0x834373B2] -> ntkrnlpa!IofCallDriver[0x82C7D448] -> \IdeDeviceP0T0L0-0[0x850B2610]

\Driver\atapi[0x860F2D28] -> IRP_MJ_CREATE -> 0x86116439

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskWDC_WD5000AAKS-00V1A0___________________05.01D05#5&a7acbf5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user != kernel MBR !!!

sectors 976773166 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.


============= FINISH: 14:47:33.51 ===============


Link to comment
Share on other sites

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.


1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.


If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.


What browser are you using?


Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])

Enter the following in to the black box, pressing enter after each line:


cd desktop

mbr.exe -f



Post a log (MBR.log).


Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.


link # 1

Link # 2

If you are using Firefox, make sure that your download settings are as follows:


* Tools->Options->Main tab

* Set to "Always ask me where to Save the files".


Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.


Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.


Right-click combofix.exe and select Run as Administrator and follow the prompts.

When finished, ComboFix will produce a log for you.

Post the ComboFix log and a new HijackThis log in your next reply.


NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.


Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.



Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:


If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...