Google Redirect

[Kerjifire]

  I Hope i did this right:



Tue Mar 16 22:57:05 2010
Command line: TestDisk

TestDisk 6.11.3, Data Recovery Utility, May 2009
Christophe GRENIER <[email protected]>
http://www.cgsecurity.org
OS: Windows XP
Compiler: GCC 4.3, Cygwin 1005.25 - May  6 2009 20:35:43
ext2fs lib: 1.41.4, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sda)=160040803840
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sdb)=1000203804160
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sdc)=2019557376
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=160040803840
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=1000203804160
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive2)=2019557376
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=69511809024
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\D:)=114027024384
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\E:)=48586728960
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\F:)=41940702720
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\G:)=214457725440
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\H:)=318392363520
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\I:)=353325127680
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\J:)=2015363072
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\X:)=290244608
file_pread(4,1,buffer,312592769(19457/254/63)) lseek err Invalid argument
file_pread(5,1,buffer,1953536129(121601/254/63)) lseek err Invalid argument
file_pread(6,1,buffer,3951989(245/254/63)) lseek err Invalid argument
Hard disk list
Disk /dev/sda - 160 GB / 149 GiB - CHS 19457 255 63, sector size=512 - WDC WD1600JD-00HBB0
Disk /dev/sdb - 1000 GB / 931 GiB - CHS 121601 255 63, sector size=512 - SAMSUNG HD103UJ
Disk /dev/sdc - 2019 MB / 1926 MiB - CHS 245 255 63, sector size=512 - JetFlash Transcend 2GB
Drive X: - 290 MB / 276 MiB - CHS 69 64 32, sector size=2048 - PIONEER DVD-RW  DVR-109

Partition table type (auto): Intel
Disk /dev/sda - 160 GB / 149 GiB - WDC WD1600JD-00HBB0
Partition table type: Intel

Analyse Disk /dev/sda - 160 GB / 149 GiB - CHS 19457 255 63
Geometry from i386 MBR: head=255 sector=63
NTFS at 0/1/1
NTFS at 8451/0/1
NTFS at 14358/0/1
get_geometry_from_list_part_aux head=255 nbr=6
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=6
Current partition structure:
 1 * HPFS - NTFS              0   1  1  8450 254 63  135765252 [MAIN]
 2 P HPFS - NTFS           8451   0  1 14357 254 63   94895955 [GAMES]
 3 P HPFS - NTFS          14358   0  1 19456 254 63   81915435 [PHOTOS]

[Dr Jay]

Ok. I hope this will work now.

Please run OTLPE.

• Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

Code: [Select]

:files
C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ERDNT\cache\atapi.sys /replace

:commands
[reboot]


• Return to OTLPE, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  
  
• Click the red Run Fix button.
  
• A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTLPE
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Then, let me know if it can boot.

[Kerjifire]

 The OTLPE won't close unless I select YES to reboot. After I Click YES it won't reboot, or do I needa wait like 1 hour or something?

[Dr Jay]

Did you try to manually reboot?

[Kerjifire]

After manual reset, it still can't boot 

[Dr Jay]

Try the fix once more, and attempt a reboot again, please.

[Kerjifire]

same result as above 

[Kerjifire]

YEEESSSS!!!!! 

I got it to boot up again. Heres how I did it. When i turned it on, I pressed F8 to load up the Safe Mode, Safe Mode with Networking menu thing. Then I selected Boot with Last Known Working Settings and it booted up normally. Then I ran the OTL thing and replaced it and reset and now it works

Now can u help me with updating my Malwarebytes. It comes up with this:



[Saving space, attachment deleted by admin]

[Kerjifire]

I changed antiviruses so that wouldn't happen again to Avira Antivir
Also should I be worried by this:

[Saving space, attachment deleted by admin]

[Dr Jay]

Good job.

1. Uninstall Malwarebytes' Anti-Malware using Add or Remove programs in the Control Panel.
2. Restart your computer (very important).
3. Download and run this utility.
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here.

Open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

[Kerjifire]

The thing is I can't access the Malwarebytes site or the Superantispyware. It comes up with Problem Loading Page. I'll download MBclean from another PC

Malwarebytes did not update.


Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

21/03/2010 4:20:06 PM
mbam-log-2010-03-21 (16-20-06).txt

Scan type: Quick Scan
Objects scanned: 174234
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Kerjifire]

My new antivirus: Avira Antivira detected atapi.sys as a malware.

Heres log:



Avira AntiVir Personal
Report file date: Sunday, 21 March 2010  21:37

Scanning for 1879445 virus strains and unwanted programs.

Licensee        : Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : S Chung
Computer name   : CSC2

Version information:
BUILD.DAT       : 9.0.0.415     21609 Bytes   11/8/2009 10:00:00
AVSCAN.EXE      : 9.0.3.10     466689 Bytes  10/13/2009 00:26:33
AVSCAN.DLL      : 9.0.3.0       40705 Bytes   2/26/2009 23:58:24
LUKE.DLL        : 9.0.3.2      209665 Bytes   2/20/2009 00:35:49
LUKERES.DLL     : 9.0.2.0       12033 Bytes   2/26/2009 23:58:52
VBASE000.VDF    : 7.10.0.0   19875328 Bytes   11/6/2009 20:35:52
VBASE001.VDF    : 7.10.1.0    1372672 Bytes  11/19/2009 02:30:46
VBASE002.VDF    : 7.10.3.1    3143680 Bytes   1/20/2010 02:31:00
VBASE003.VDF    : 7.10.3.75    996864 Bytes   1/26/2010 02:31:06
VBASE004.VDF    : 7.10.4.203   1579008 Bytes    3/5/2010 02:31:19
VBASE005.VDF    : 7.10.4.204      2048 Bytes    3/5/2010 02:31:19
VBASE006.VDF    : 7.10.4.205      2048 Bytes    3/5/2010 02:31:21
VBASE007.VDF    : 7.10.4.206      2048 Bytes    3/5/2010 02:31:21
VBASE008.VDF    : 7.10.4.207      2048 Bytes    3/5/2010 02:31:25
VBASE009.VDF    : 7.10.4.208      2048 Bytes    3/5/2010 02:31:25
VBASE010.VDF    : 7.10.4.209      2048 Bytes    3/5/2010 02:31:25
VBASE011.VDF    : 7.10.4.210      2048 Bytes    3/5/2010 02:31:26
VBASE012.VDF    : 7.10.4.211      2048 Bytes    3/5/2010 02:31:26
VBASE013.VDF    : 7.10.4.242    153088 Bytes    3/8/2010 02:31:28
VBASE014.VDF    : 7.10.5.17     99328 Bytes   3/10/2010 02:31:29
VBASE015.VDF    : 7.10.5.44    107008 Bytes   3/11/2010 02:31:31
VBASE016.VDF    : 7.10.5.69     92672 Bytes   3/12/2010 02:31:32
VBASE017.VDF    : 7.10.5.91    119808 Bytes   3/15/2010 02:31:35
VBASE018.VDF    : 7.10.5.121    112640 Bytes   3/18/2010 02:31:36
VBASE019.VDF    : 7.10.5.138    139776 Bytes   3/18/2010 02:31:43
VBASE020.VDF    : 7.10.5.139      2048 Bytes   3/18/2010 02:31:43
VBASE021.VDF    : 7.10.5.140      2048 Bytes   3/18/2010 02:31:44
VBASE022.VDF    : 7.10.5.141      2048 Bytes   3/18/2010 02:31:45
VBASE023.VDF    : 7.10.5.142      2048 Bytes   3/18/2010 02:31:45
VBASE024.VDF    : 7.10.5.143      2048 Bytes   3/18/2010 02:31:45
VBASE025.VDF    : 7.10.5.144      2048 Bytes   3/18/2010 02:31:46
VBASE026.VDF    : 7.10.5.145      2048 Bytes   3/18/2010 02:31:47
VBASE027.VDF    : 7.10.5.146      2048 Bytes   3/18/2010 02:31:47
VBASE028.VDF    : 7.10.5.147      2048 Bytes   3/18/2010 02:31:47
VBASE029.VDF    : 7.10.5.148      2048 Bytes   3/18/2010 02:31:48
VBASE030.VDF    : 7.10.5.149      2048 Bytes   3/18/2010 02:31:48
VBASE031.VDF    : 7.10.5.155     59392 Bytes   3/19/2010 02:31:50
Engineversion   : 8.2.1.196
AEVDF.DLL       : 8.1.1.3      106868 Bytes   3/21/2010 02:32:20
AESCRIPT.DLL    : 8.1.3.18    1024378 Bytes   3/21/2010 02:32:19
AESCN.DLL       : 8.1.5.0      127347 Bytes   3/21/2010 02:32:15
AESBX.DLL       : 8.1.2.1      254323 Bytes   3/21/2010 02:32:22
AERDL.DLL       : 8.1.4.3      541043 Bytes   3/21/2010 02:32:14
AEPACK.DLL      : 8.2.1.1      426358 Bytes   3/21/2010 02:32:12
AEOFFICE.DLL    : 8.1.0.41     201083 Bytes   3/21/2010 02:32:06
AEHEUR.DLL      : 8.1.1.13    2470262 Bytes   3/21/2010 02:32:04
AEHELP.DLL      : 8.1.10.2     237941 Bytes   3/21/2010 02:31:55
AEGEN.DLL       : 8.1.3.2      373108 Bytes   3/21/2010 02:31:54
AEEMU.DLL       : 8.1.1.0      393587 Bytes   11/7/2009 20:38:26
AECORE.DLL      : 8.1.12.3     188789 Bytes   3/21/2010 02:31:51
AEBB.DLL        : 8.1.0.3       53618 Bytes   11/7/2009 20:38:20
AVWINLL.DLL     : 9.0.0.3       18177 Bytes  12/11/2008 21:47:59
AVPREF.DLL      : 9.0.3.0       44289 Bytes   8/26/2009 04:14:02
AVREP.DLL       : 8.0.0.7      159784 Bytes   3/21/2010 02:32:23
AVREG.DLL       : 9.0.0.0       36609 Bytes   12/4/2008 23:32:09
AVARKT.DLL      : 9.0.0.3      292609 Bytes   3/24/2009 04:05:41
AVEVTLOG.DLL    : 9.0.0.7      167169 Bytes   1/29/2009 23:37:08
SQLITE3.DLL     : 3.6.1.0      326401 Bytes   1/28/2009 04:03:49
SMTPLIB.DLL     : 9.2.0.25      28417 Bytes    2/1/2009 21:21:33
NETNT.DLL       : 9.0.0.0       11521 Bytes   12/4/2008 23:32:10
RCIMAGE.DLL     : 9.0.0.25    2438913 Bytes   5/15/2009 04:39:58
RCTEXT.DLL      : 9.0.73.0      86785 Bytes  10/13/2009 01:25:47

Configuration settings for the scan:
Jobname.............................: Manual Selection
Configuration file..................: C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira\AntiVir Desktop\PROFILES\folder.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, 21 March 2010  21:37

Starting search for hidden objects.
c:\windows\system32\sys_drv.dat
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '4c18f7de.qua'  ( QUARANTINE )
c:\windows\system32\sys_drv_2.dat
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '4d9266d7.qua'  ( QUARANTINE )
c:\windows\system32\winfldrv.sys
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '4c13f7ce.qua'  ( QUARANTINE )
c:\documents and settings\s chung\application data\systemfl.$dk
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '4d961717.qua'  ( QUARANTINE )
'68161' objects were checked, '4' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrB.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'javaw.exe' - '1' Module(s) have been scanned
Scan process 'WinManager.exe' - '1' Module(s) have been scanned
Scan process 'wrapper.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'LogitechDesktopMessenger.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'BDTUpdateService.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '0' Module(s) have been scanned
Scan process 'soundman.exe' - '1' Module(s) have been scanned
Scan process 'opwareSE2.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'DNTVSchedulerProTray.exe' - '1' Module(s) have been scanned
Scan process 'ForceField.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ISWSVC.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'vsmon.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
    [INFO]      No virus was found!
Master boot sector HD1
    [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
    [INFO]      No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '69' files ).


Starting the file scan:

Begin scan in 'C:\' <MAIN>
C:\hiberfil.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.
C:\pagefile.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.
C:\Documents and Settings\S Chung\Desktop\ \Downloadz\zaSetup_91_007_002_en.exe
 

• Archive type: ZIP SFX (self extracting)

    --> SWITCHUNINST_44ZONE LABS.EXE
      [1] Archive type: RSRC
    --> WINDOWS6.0-KB929547-V2-X64.MSU
      [1] Archive type: CAB (Microsoft)
      --> Windows6.0-KB929547-v2-x64.cab
        [WARNING]   No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\maxdriver\atapi.sys
    [DETECTION] Is the TR/Patched.Gen Trojan

Beginning disinfection:
C:\WINDOWS\maxdriver\atapi.sys
    [DETECTION] Is the TR/Patched.Gen Trojan
    [NOTE]      The file was moved to '4c070349.qua'!


End of the scan: Sunday, 21 March 2010  22:28
Used time: 50:34 Minute(s)

The scan has been done completely.

  13146 Scanned directories
 564106 Files were scanned
      1 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 files were deleted
      0 Viruses and unwanted programs were repaired
      5 Files were moved to quarantine
      0 Files were renamed
      2 Files cannot be scanned
 564103 Files not concerned
   4673 Archives were scanned
      3 Warnings
      7 Notes
  68161 Objects were scanned with rootkit scan
      4 Hidden objects were found

[Dr Jay]

I already knew that.

Luckily it did not detect the legit one (C:\windows\system32\atapi.sys)

That is the same infection that is continually giving the Google Redirects. Let's put its book on the shelf.

• Please download maxlook and save the file to your desktop.
  • Double click maxlook.exe to run it. Note - you must run it only once!
  • As instructed when the tool runs, restart the computer and logon to the Recovery Console.
• Start the Recovery Console directly from the Windows XP CD by do the following:
  • Insert the Windows XP cd in your computer.
  • Restart your computer so you are booting off of the CD.
  • When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.
  • The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter. If you do not know your password then see this.
  • If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.
• Type the following bolded command at the C:\windows> prompt and press Enter:
  batch look.bat
• You will see "1 file(s) copied" many times then return to the c:\windows> prompt.
• Type Exit and press Enter to restart your computer then logon in normal mode.

• Please run maxlook.exe again now. Note - you must run it only once!
  • It will produce looklog.txt on the desktop.
  • Please post the results here.

[Kerjifire]

um... ok? Maxlook didn't ask me to reset. INstead it popped up like this:

Run from C:\Documents and Settings\S Chung\Desktop\maxlook.exe on Mon 22/03/2010 at 18:38:21.93

No infected file found

atapi.sys has gone missing!
avgntdd.sys has gone missing!
avgntflt.sys has gone missing!
avgntmgr.sys has gone missing!
avipbb.sys has gone missing!
ssmdrv.sys has gone missing!

[Dr Jay]

Ok. Do not reboot your computer until I tell you to. MaxLook did not reboot, because atapi.sys is missing apparently. (If you accidentally shut it down or reboot, your computer may not boot anymore)

Let's do this and replace it:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:filefind
atapi.sys


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt