Dear friends,
I have these 2 problems for a few months.:
- My chrome/ie explorer/firefox would always search with “globasearch.com” . I first uninstalled it and then removed from preferences, also cleared things like: " c:\program files\internet explorer\ie.exe globasearch.com"
For a month or two i thought it was gone… Then something weird started to happen. Only once after each time i have a full antivirus scan, or fix MBR ; when i write to the address bar of chrome to search , it searches with a “google partner” , not showing “globasearch.com” this time. It feels like CIS virus years ago. You would fdisk the machine and after tens of times , it would popup “Ha ha ha ! You still couldn’t delete me!”
- On avast and comodo, and sometimes on windows update, i cannot update the virus definitions.
I scanned today with aswMBR and here’s the log output:
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-05-10 18:28:18
18:28:18.689 OS Version: Windows 6.1.7601 Service Pack 1
18:28:18.689 Number of processors: 2 586 0x1C02
18:28:18.695 ComputerName: COMPNAME UserName:
18:28:19.585 Initialize success
18:28:19.969 AVAST engine defs: 13040700
18:28:54.172 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
18:28:54.181 Disk 0 Vendor: Hitachi_HTS543216L9SA00 FB2OC40C Size: 152627MB BusType: 3
18:28:54.272 Disk 0 MBR read successfully
18:28:54.283 Disk 0 MBR scan
18:28:54.298 Disk 0 Windows 7 default MBR code
18:28:54.313 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 84810 MB offset 63
18:28:54.361 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 62761 MB offset 173694780
18:28:54.413 Disk 0 Partition 3 00 0C FAT32 LBA MSDOS5.0 5004 MB offset 302230845
18:28:54.471 Disk 0 Partition 4 00 EF EFI FAT A1359 47 MB offset 312480315
18:28:54.530 Disk 0 scanning sectors +312576705
18:28:54.710 Disk 0 scanning C:\Windows\system32\drivers
18:29:43.197 Service scanning
18:35:44.718 Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32
18:35:46.198 Service Spyshelter C:\Program Files\SpyShelter Personal Free\SpyShelter.sys LOCKED 32
18:37:33.928 Modules scanning
18:38:05.373 Disk 0 trace - called modules:
18:38:05.460 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x865301f8]<<
18:38:05.489 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x866e4030]
18:38:05.515 3 CLASSPNP.SYS[89b9259e] → nt!IofCallDriver → [0x86591918]
18:38:05.543 5 ACPI.sys[895ba3d4] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x865fd030]
18:38:05.570 \Driver\atapi[0x865fbf38] → IRP_MJ_CREATE → 0x865301f8
18:38:06.431 AVAST engine scan C:\Windows\System32
18:45:22.881 File: C:\Windows\System32\csrsrv.dll INFECTED Win32:Aluroot-B [Rtk]
18:55:55.239 File “C:\Windows\System32\csrsrv.dll” has been saved successfully to:
18:55:55.240 “D:\linux rescues untried\copy_csrsrv.dll”
19:03:19.148 Scan finished successfully
19:04:26.807 Disk 0 MBR has been saved successfully to “C:\Users\LauraHikgen\Desktop\MBR.dat”
19:04:26.845 The log file has been saved successfully to “C:\Users\LauraHikgen\Desktop\aswMBR.txt”
Please disregard sptd.sys and SpyShelter.sys , as they are legitimate files .
Btw, i already tried Rkill ,combofix and at least 20 different antivirus and rootkit detectors. None works.
Thanks!