BleepingComputer.com: Google redirect and randomly opening Internet Explorer (I dont even HAVE internet explorer!)

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Google redirect and randomly opening Internet Explorer (I dont even HAVE internet explorer!)

#16 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,522
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 01 November 2011 - 04:43 PM

Hello

I want you to run this custem OTL script for me and then let me know how things are after you finish.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :otl
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3231788152-3730241648-3555179068-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3231788152-3730241648-3555179068-1000\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O33 - MountPoints2\{27df08ba-6d22-11df-b009-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{27df08ba-6d22-11df-b009-806e6f6e6963}\Shell\AutoRun\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{27df08ba-6d22-11df-b009-806e6f6e6963}\Shell\configure\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{27df08ba-6d22-11df-b009-806e6f6e6963}\Shell\install\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{da35a4bd-aaf6-11e0-895a-406186b2f94c}\Shell - "" = AutoRun
O33 - MountPoints2\{da35a4bd-aaf6-11e0-895a-406186b2f94c}\Shell\AutoRun\command - "" = F:\AutoLaunch.exe
O33 - MountPoints2\F\Shell - "" = AutoRun  
FF - prefs.js..extensions.enabledItems: {34EFA911-B536-4C08-BECE-CD5E55C875B0}:1.0
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-3231788152-3730241648-3555179068-1000\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll (Conduit Ltd.)
[2011/10/21 16:45:12 | 000,000,232 | ---- | C] () -- C:\ProgramData\~6DSS92c31Apgjk
[2011/10/21 16:45:12 | 000,000,120 | ---- | C] () -- C:\ProgramData\~6DSS92c31Apgjkr
[2011/10/21 16:45:06 | 000,000,440 | ---- | C] () -- C:\ProgramData\6DSS92c31Apgjk
:Files
ipconfig /flushdns /c
:Commands
[PURITY]
[EMPTYTEMP]
[EMPTYFLASH]
[RESETHOSTS]

  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#17 User is offline   southpawmegan 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 22-October 11

Posted 01 November 2011 - 08:39 PM

All processes killed
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3231788152-3730241648-3555179068-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-3231788152-3730241648-3555179068-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.
File Protocol\Handler\livecall - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
File Protocol\Handler\ms-help - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.
File Protocol\Handler\msnim - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype-ie-addon-data\ deleted successfully.
File Protocol\Handler\skype-ie-addon-data - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.
File Protocol\Handler\wlmailhtml - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlpg\ deleted successfully.
File Protocol\Handler\wlpg - No CLSID value found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27df08ba-6d22-11df-b009-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27df08ba-6d22-11df-b009-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27df08ba-6d22-11df-b009-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27df08ba-6d22-11df-b009-806e6f6e6963}\ not found.
File E:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27df08ba-6d22-11df-b009-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27df08ba-6d22-11df-b009-806e6f6e6963}\ not found.
File E:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27df08ba-6d22-11df-b009-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27df08ba-6d22-11df-b009-806e6f6e6963}\ not found.
File E:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da35a4bd-aaf6-11e0-895a-406186b2f94c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{da35a4bd-aaf6-11e0-895a-406186b2f94c}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da35a4bd-aaf6-11e0-895a-406186b2f94c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{da35a4bd-aaf6-11e0-895a-406186b2f94c}\ not found.
File F:\AutoLaunch.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
Prefs.js: {34EFA911-B536-4C08-BECE-CD5E55C875B0}:1.0 removed from extensions.enabledItems
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ deleted successfully.
C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\ deleted successfully.
C:\Program Files (x86)\uTorrentBar\tbuTor.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{30F9B915-B755-4826-820B-08FBA6BD249D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ not found.
File C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\ not found.
File C:\Program Files (x86)\uTorrentBar\tbuTor.dll not found.
Registry value HKEY_USERS\S-1-5-21-3231788152-3730241648-3555179068-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}\ not found.
File C:\Program Files (x86)\uTorrentBar\tbuTor.dll not found.
C:\ProgramData\~6DSS92c31Apgjk moved successfully.
C:\ProgramData\~6DSS92c31Apgjkr moved successfully.
C:\ProgramData\6DSS92c31Apgjk moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\southpaw\Desktop\Downloads\cmd.bat deleted successfully.
C:\Users\southpaw\Desktop\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: southpaw
->Temp folder emptied: 885056776 bytes
->Temporary Internet Files folder emptied: 2071844244 bytes
->Java cache emptied: 45905 bytes
->FireFox cache emptied: 222720917 bytes
->Flash cache emptied: 128686 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 126277099 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67697 bytes
RecycleBin emptied: 16199743179 bytes

Total Files Cleaned = 18,602.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: southpaw
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 11012011_191621

Files\Folders moved on Reboot...
File\Folder C:\Users\southpaw\AppData\Local\Temp\fla1B98.tmp not found!
File\Folder C:\Users\southpaw\AppData\Local\Temp\flaB7F3.tmp not found!
C:\Users\southpaw\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Temp\tmpCB7E.tmp not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9DFE284C-C8B0-4ED9-9292-7EE441E7B5CD}.tmp moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AF628CE3-8D9B-4858-AA08-2604802089F6}.tmp not found!
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E084006A-F766-4BA4-AB8F-4E367794AB81}.tmp not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F178965C-72D7-4B1D-8B57-89C69D94F844}.tmp moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FD97C44C-E953-4BB0-B460-A500DA927139}.tmp moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FBA0A2A.jpg not found!
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F87E98D.jpg not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ90EIJW\ddc[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ90EIJW\index[3].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ90EIJW\login_status[3].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ90EIJW\track[1] moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDKQ0QKH\maincomp[1].htm moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7MS60QPN\01[1].htm not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7MS60QPN\B5645277[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7MS60QPN\beacon[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7MS60QPN\ddc[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7MS60QPN\empty[1].htm moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7MS60QPN\if[1].htm not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7MS60QPN\pixel[1].htm moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6TNSIOV3\01[1].htm not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6TNSIOV3\1032108165[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6TNSIOV3\aceUACping[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6TNSIOV3\channels[1].htm moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6TNSIOV3\if[1].htm not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6TNSIOV3\like[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6TNSIOV3\login_status[6].htm moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\ac3[2].htm not found!
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\ac3[3].htm not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\api[1].htm moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\api[2].htm not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\Carra-dagneau-a-la-Tapenade[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\dynamic_companion_banner_iframe[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\ff2[1].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\ff2[2].htm moved successfully.
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\iframe[2].htm moved successfully.
File\Folder C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\if[1].htm not found!
C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AEHYEW4\zpu[1].htm moved successfully.
File move failed. C:\Users\southpaw\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#18 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,522
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 01 November 2011 - 08:41 PM

how are things running now?


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#19 User is offline   southpawmegan 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 22-October 11

Posted 02 November 2011 - 09:38 AM

Same old, same old. Phantom music and ads woke us up at 4 am haha. IE still opening all over and search redirect still a huge PITA. Are the logs showing things should be working well?

#20 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,522
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 02 November 2011 - 12:32 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.




Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#21 User is offline   southpawmegan 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 22-October 11

Posted 02 November 2011 - 02:54 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-02 13:53:47
-----------------------------
13:53:47.404 OS Version: Windows x64 6.1.7600
13:53:47.404 Number of processors: 4 586 0x2502
13:53:47.404 ComputerName: SOUTHPAW-MSI UserName: southpaw
13:53:49.725 Initialize success
13:53:58.976 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:53:58.976 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
13:53:58.996 Disk 0 MBR read successfully
13:53:58.996 Disk 0 MBR scan
13:53:59.006 Disk 0 TDL4@MBR code has been found
13:53:59.006 Disk 0 Windows 7 default MBR code found via API
13:53:59.016 Disk 0 MBR hidden
13:53:59.016 Disk 0 MBR [TDL4] **ROOTKIT**
13:53:59.026 Disk 0 trace - called modules:
13:53:59.036 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800461b254]<<
13:53:59.036 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004603060]
13:53:59.046 3 CLASSPNP.SYS[fffff88001b8543f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004331050]
13:53:59.046 \Driver\iaStor[0xfffffa80042f3970] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa800461b254
13:53:59.056 Scan finished successfully
13:54:10.559 Disk 0 MBR has been saved successfully to "C:\Users\southpaw\Desktop\MBR.dat"
13:54:10.559 The log file has been saved successfully to "C:\Users\southpaw\Desktop\aswMBR.txt"

#22 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,522
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 02 November 2011 - 03:47 PM

Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIX button,
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.

  • Save the log as before and post in your next reply.

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#23 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,522
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 November 2011 - 06:36 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#24 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,522
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 07 November 2011 - 11:13 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users