Ordinarily I don't touch Microsoft computers - they just aren't user friendly. But when my iBook melted its logic board yet again, I found myself working with the family computer.
Through a sea of program and document icons on screen I found Internet Explorer. And after a while I noticed the search results in Internet Explorer with Google differed from the searches in Safari, Opera, FileFox, or Chrome. For example a search for Ask Jeeves in every other web browser returned:
http://www.ask.com/
In Internet Explorer a Google search for Ask Jeeves returned this instead:
http://216.195.52.100/go.php?c=TsuW...o/oNFVL8WuLo7UdqsC9w=+rfr=gsso`~~onqmanzqc^tr
I decided to find out just what this 216.195.52.100 business is about and found this web site – The Fire – that suggested I had a bug somewhere on the machine. My searches using the find function under the Start menu turned up nothing – no tiny flash files anywhere on the computer. Just to be sure, I downloaded Avast antivirus software, ran it, and after a week of daily scans, I found nothing.
I also noticed another problem with Microsoft Word. It took two minutes or more for a new blank document to appear. I began searching for reasons why the program was so slow and I ran across this web site – Rootkit Revealer. I decided to give the program a whirl.
Many things showed up – such as files with very long very descriptive names. But nothing bad except for one lone file near the bottom of the list.
C:\Program Files\Common Files\System\k_rmpfrd32.dll 17.50 KB Hidden from Windows API.
When I searched for it I couldn't find it. I booted up in Safe Mode and I didn't find it. Then I booted up in the lowest mode possible in Windows – command line prompt. After typing a lot's of CD and double periods, I found the file, moved it up to the C directory, and restarted.
Every time I click on this file – Avast lights up like nuclear missile launch.
As a side effect, the problems with Internet Explorer searches vanished. Also Word managed to load a new blank page in two seconds. Oddly, upon scanning with Rootkit Revealer again, two files disappeared from the registry:
(1) \Local Settings\Application Data\Microsoft\Messenger\xxredesignedxx@hotmail.com\SharingMetadata\cosmicburst@hotmail.com\DFSR\Staging\CS{0D72DE90-FB8C-E008-53E6-42952A3CA5B4}\01\10-{0D72DE90-FB8C-E008-53E6-42952A3CA5B4 – 8 bytes – Hidden from Windows API.
(2) \Local Settings\Application Data\Microsoft\Messenger\xxredesignedxx@hotmail.com\SharingMetadata\cosmicburst@hotmail.com\DFSR\Staging\CS{0D72DE90-FB8C-E008-53E6-42952A3CA5B4}\20\20-{92252387-ECE9-4D07-84AE-DF63D1D64720 – 80 bytes – Hidden from Windows API.
I cannot tell what they do. But I've discovered two other suspicious files.
HKLM\SECURITY\Policy\Secrets\SAC* – 0 bytes – Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* – 0 bytes – Key name contains embedded nulls (*)
I haven't fooled with them. Not exactly sure what they do. But the mouse occasionally drifts upward for no reason, the screen slowly dims and brightens up once and a while, and the keyboard occasionally ignores the shift key.
Through a sea of program and document icons on screen I found Internet Explorer. And after a while I noticed the search results in Internet Explorer with Google differed from the searches in Safari, Opera, FileFox, or Chrome. For example a search for Ask Jeeves in every other web browser returned:
http://www.ask.com/
In Internet Explorer a Google search for Ask Jeeves returned this instead:
http://216.195.52.100/go.php?c=TsuW...o/oNFVL8WuLo7UdqsC9w=+rfr=gsso`~~onqmanzqc^tr
I decided to find out just what this 216.195.52.100 business is about and found this web site – The Fire – that suggested I had a bug somewhere on the machine. My searches using the find function under the Start menu turned up nothing – no tiny flash files anywhere on the computer. Just to be sure, I downloaded Avast antivirus software, ran it, and after a week of daily scans, I found nothing.
I also noticed another problem with Microsoft Word. It took two minutes or more for a new blank document to appear. I began searching for reasons why the program was so slow and I ran across this web site – Rootkit Revealer. I decided to give the program a whirl.
Many things showed up – such as files with very long very descriptive names. But nothing bad except for one lone file near the bottom of the list.
C:\Program Files\Common Files\System\k_rmpfrd32.dll 17.50 KB Hidden from Windows API.
When I searched for it I couldn't find it. I booted up in Safe Mode and I didn't find it. Then I booted up in the lowest mode possible in Windows – command line prompt. After typing a lot's of CD and double periods, I found the file, moved it up to the C directory, and restarted.
Every time I click on this file – Avast lights up like nuclear missile launch.
As a side effect, the problems with Internet Explorer searches vanished. Also Word managed to load a new blank page in two seconds. Oddly, upon scanning with Rootkit Revealer again, two files disappeared from the registry:
(1) \Local Settings\Application Data\Microsoft\Messenger\xxredesignedxx@hotmail.com\SharingMetadata\cosmicburst@hotmail.com\DFSR\Staging\CS{0D72DE90-FB8C-E008-53E6-42952A3CA5B4}\01\10-{0D72DE90-FB8C-E008-53E6-42952A3CA5B4 – 8 bytes – Hidden from Windows API.
(2) \Local Settings\Application Data\Microsoft\Messenger\xxredesignedxx@hotmail.com\SharingMetadata\cosmicburst@hotmail.com\DFSR\Staging\CS{0D72DE90-FB8C-E008-53E6-42952A3CA5B4}\20\20-{92252387-ECE9-4D07-84AE-DF63D1D64720 – 80 bytes – Hidden from Windows API.
I cannot tell what they do. But I've discovered two other suspicious files.
HKLM\SECURITY\Policy\Secrets\SAC* – 0 bytes – Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* – 0 bytes – Key name contains embedded nulls (*)
I haven't fooled with them. Not exactly sure what they do. But the mouse occasionally drifts upward for no reason, the screen slowly dims and brightens up once and a while, and the keyboard occasionally ignores the shift key.
