Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a Search Engine Hijacker


  • This topic is locked This topic is locked
19 replies to this topic

#1 sdg

sdg

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 March 2009 - 12:31 PM

I'm working from my teenage boy's computer which has become infected with a search engine hijacker program. When I use Google to perform a search, links come up as normal, but when I click on a link I'm redirected to another site. Yesterday, I tried to log onto Bleeps from the infected computer I was either redirected to another site or an Internet Explorer "failed to connect" message appeared. Just now I tried to log onto your site to get the exact wording of the IE failed to connect message and, to my surprise, was able to connect to Bleeps. So here I am. Yesterday, I downloaded the DDS program to a stick via another un-infected computer, then was successful in downloading and running it on the infected computer. Thank-you very much for the support. The log is as follows:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Scott at 9:10:06.50 on Fri 03/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.481 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Scott\Desktop\1234.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/comcast.html
uWindow Title = Windows Internet Explorer provided by Comcast
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
mDefault_Page_URL = hxxp://www.comcast.net
mStart Page = hxxp://www.comcast.net
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll
mURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll
BHO: {1d1c9a05-da55-dcb8-1c54-57616f72a240}: {042a27f6-1675-45c1-8bcd-55ad50a9c1d1} - c:\windows\system32\kvptxw.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {f0a4e318-46ff-4547-9823-9074e08be316} - c:\windows\system32\bunuzope.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Cognac] c:\docume~1\scott\locals~1\temp\21.tmp.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ppedixigotane] rundll32.exe "c:\windows\unelojih.dll",e
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ezoboxe] rundll32.exe "c:\windows\Osofox.dll",e
mRun: [rigihejuha] Rundll32.exe "c:\windows\system32\gisisema.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: wonrzp.dll c:\windows\system32\ropepike.dll kvptxw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMeeDuv
LSA: Notification Packages = scecli c:\windows\system32\ropepike.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-4-9 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-4-9 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-4-9 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-4-9 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-4-9 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-4-9 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-4-9 40488]
S1 22d90a22;22d90a22;c:\windows\system32\drivers\22d90a22.sys [2009-2-13 0]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-7 24652]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-4-9 33832]

=============== Created Last 30 ================

2009-03-13 09:05 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-13 09:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-13 08:05 143,071 a--sh--- c:\windows\system32\kvptxw.dll
2009-03-12 20:05 1,544,926 ---sh--- c:\windows\system32\ezanokan.ini
2009-03-12 20:05 143,104 a--sh--- c:\windows\system32\oxgvjh.dll
2009-03-12 08:05 2,713 ---sh--- c:\windows\system32\yusoviyo.dll
2009-03-12 08:05 1,544,944 ---sh--- c:\windows\system32\ugahakaj.ini
2009-03-12 08:05 144,099 a--sh--- c:\windows\system32\cnpnxj.dll
2009-03-11 20:05 25,961 ---sh--- c:\windows\system32\yirejame.dll
2009-03-11 20:05 1,545,007 ---sh--- c:\windows\system32\uyawalof.ini
2009-03-11 20:05 142,995 a--sh--- c:\windows\system32\sdrfes.dll
2009-03-11 06:43 106,496 a------- c:\windows\system32\FEJOKT.DLL
2009-03-11 06:43 120 a------- c:\windows\system32\kpoujirx.tmp
2009-03-11 06:43 120 a------- c:\windows\system32\haeklrgn.tmp
2009-03-11 06:43 120 a------- c:\windows\system32\haeklrgn.ini
2009-03-11 06:43 72,704 a------- c:\windows\system32\TFQTKGKT.DLL
2009-03-11 06:43 48,128 a------- c:\windows\system32\DDCARSRL.DLL
2009-02-24 20:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-02-24 19:30 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-02-24 19:30 <DIR> --d----- c:\program files\World of Warcraft
2009-02-23 14:01 197 a------- c:\windows\system32\MRT.INI
2009-02-13 14:21 132,608 a------- c:\windows\unelojih.dll
2009-02-13 14:09 19,214 a------- c:\windows\system32\sf.ico
2009-02-13 14:09 13,942 a------- c:\windows\system32\m3.ico
2009-02-13 14:09 13,942 a------- c:\windows\system32\c.ico
2009-02-13 14:09 11,062 a------- c:\windows\system32\p.ico
2009-02-13 14:09 7,662 a------- c:\windows\system32\m.ico
2009-02-13 14:09 4,286 a------- c:\windows\system32\s.ico
2009-02-13 14:09 3,182 a------- c:\windows\ios.dat
2009-02-13 14:09 0 a------- c:\windows\system32\drivers\22d90a22.sys
2009-02-13 14:09 2 a------- C:\-1803175481
2009-02-13 14:09 <DIR> --d----- c:\windows\system32\inf
2009-02-11 20:47 32,243 a--sh--- c:\windows\system32\vuDeeMoq.ini2
2009-02-11 20:47 31,788 a--sh--- c:\windows\system32\vuDeeMoq.ini

==================== Find3M ====================

2009-03-13 08:05 143,071 a--sh--- c:\windows\system32\matuyavu.dll
2009-03-13 08:05 95,375 a--sh--- c:\windows\system32\nohijira.dll
2009-03-13 08:05 110,255 a--sh--- c:\windows\system32\tehobuja.dll
2009-03-12 20:05 143,104 a--sh--- c:\windows\system32\takitopi.dll
2009-03-12 20:05 95,349 a--sh--- c:\windows\system32\nakonaze.dll
2009-03-12 20:05 110,340 a--sh--- c:\windows\system32\lunazuse.dll
2009-03-12 08:05 95,360 -------- c:\windows\system32\jakahagu.dll
2009-03-12 08:05 144,099 a--sh--- c:\windows\system32\yagehusi.dll
2009-03-12 08:05 109,175 a--sh--- c:\windows\system32\musosami.dll
2009-03-11 20:05 108,263 a--sh--- c:\windows\system32\tizebaju.dll
2009-03-11 20:05 142,995 a--sh--- c:\windows\system32\tijawani.dll
2009-03-11 20:05 95,540 -------- c:\windows\system32\folawayu.dll
2009-02-11 16:52 39,674 a--sh--- c:\windows\system32\XFPrCJjl.ini2
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-07 15:52 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-07 15:50 6,514 a------- c:\windows\system32\ealregsnapshot1.reg
2008-12-19 03:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 03:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 23:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 23:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
0000-00-00 00:00 72,797 a--sh--- c:\windows\system32\bunuzope.dll
0000-00-00 00:00 72,797 a--sh--- c:\windows\system32\gisisema.dll
0000-00-00 00:00 72,797 a--sh--- c:\windows\system32\ropepike.dll
2008-09-10 15:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat

============= FINISH: 9:13:49.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:10 AM

Posted 13 March 2009 - 03:40 PM

Hello, sdg

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I need some time to look over your log, I will post back soon.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 sdg

sdg
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 March 2009 - 04:31 PM

Hi there Jat90. Thanks for the response. I will be going out of town for a day or two. Take your time on the review. I will check back once I return and send you a note.

I haven't noticed if Bleeps has a donation box. I would be happy to make a contribution for the site's and your generous help. Let me know if and how I can contribute. Many thanks again in advance.

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:10 AM

Posted 14 March 2009 - 07:07 AM

Hello,

Thank you for your generosity but payment is not required, we volunteer to help with no monetary incentives. Thanks again though. Your computer is fairly infected, please do the following:

ComboFix

Please download ComboFix from one of these locations (if you already have ComboFix, then delete it and download again) :

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. See this topic to find out how to disable your antivirus and firewall (post #1 and #2).
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

NOTE**ComboFix was intended to be used under the supervision of a helper, not for general use. This is a powerful tool which can permanently damage your computer.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 sdg

sdg
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 15 March 2009 - 08:41 PM

Hi Jat90,

I got home this afternoon and working from the infected computer, downloaded Combofix from link1. Also, I followed the instructions from your link "How to Temporarily Disable your Anti-Virus" (Mcafee and Spybot) then started Combofix. I'm not convinced that it is running properly. The hourglass icon came on for a few seconds then nothing. I waited a few minutes with no indication that it was running. I was concerened that I had not correctly disabled Spybot, so I "un-installed" spybot from the computer, restarted the computer, then started Combofix again. Same thing happened; the hourglass came on for a few seconds then nothing. I decided to leave it alone for awhile. It's been around three hours and I still have no indication that the program is running. Neither of the two windows regarding "Windows Recovery Console" have opened up. I'm sending this from a non-infected computer, not wanting to disturb the infected computer should Combofix be running in the background. Thanks again for your support.

Please advise.

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:10 AM

Posted 16 March 2009 - 06:37 PM

Hello,

This is most likely Mcafee interfering with ComboFix, even when its shut down it still causes problems, therefore it needs to be uninstalled. We can reinstall it after, but not until we have finished with ComboFix.

Uninstall McAfee

Download and run the McAfee Consumer Products Removal tool (MCPR.exe).
Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 and newer versions of McAfee consumer products.
  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware
Download the removal tool from http://download.mcafee.com/products/licens...atches/MCPR.exe
  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
    The machine must reboot to complete the un-installation. Reboot now? [y.n]
  • Press Y on the keyboard.
  • Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302

Now follow the above steps and run ComboFix. Since you have access to another clean computer, from now on you should transfer tools that we use (such as ComboFix) to your infected computer from your clean one. This way we limit internet access on the infected computer and prevent it being further infected since it now has no Antivirus or Firewall protection.

Edited by Jat90, 16 March 2009 - 06:45 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 sdg

sdg
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 18 March 2009 - 10:11 AM

Hi Jat90, My brother went into the hospital for a planned operation a little sooner than we previously expected. All is well. But I've been out of town for the last couple of days and probably a couple days more, and am therefore away from the infected computer. Please keep my thread active. I'll keep you posted.

Many thanks
sdg

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:10 AM

Posted 19 March 2009 - 03:14 AM

Ok, No Problem :thumbup2:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 sdg

sdg
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 25 March 2009 - 11:14 AM

Hi Jat, I've been working on the infected computer off and on for a few days now as time permits. I've actually spent quite a bit of time with it. The following is a brief of what is going on with it.

I downloaded the mcafee removal tool and loaded it to the desktop as you advised. When I tried to run it, the hourglass icon came on for a few seconds then went off. I left the computer alone for a few hours not knowing if it was running behind the scenes. Eventually, I concluded that the program was not running and then tried to uninstall mcafee using the windows uninstall feature from the control panel. The program ran and uninstalled the mcafee virus protection, firewall, and spyware, but when it came time to uninstall the security center, the progress bar stopped moving and stayed that way for hours. I could not restart the computer using the windows shutdown feature and resorted to turning off the main power.

The computer has been disconnected from the router/internet.

Over the days it bacame more and more difficult trying to log on and getting to the desktop. At first, everytime I got to the desktop a window would appear that stated, "RUNDLL Error loading C:\windows\osofox.dll The specified module could not be found. OK." Sometimes a "send error" message window would appear. Eventually, after several tries, the desktop loaded completely and I clicked on the combofix icon. As before, the hourglass icon came on for a few seconds, then off. I left the computer alone for half a day or so before trying to log off. When I moved the cursor to the lower left "start" button to log off nothing would happen. There was a box in the lower left bar that stated "RUNDLL". When the cursor came over the box the hourglass icon would show up. The computer was frozen. Once again I had to turn off fromo the main power.

There are four users on the infected computer. Everytime I try to log on using my user name and password the computer would freeze before I got to the desktop. I tried logging on using the other user names. At first I could get to another user's desktop. From another user's desktop I tried to run mcafee uninstall from windows, and again the hourglass icon came on for a few seconds then off. It stayed that way for hours. The computer was again frozen and would not let me log off as normal.

Now everytime I try to log on, I can come to the the screen with the four user names. When I try to log on using any one of the four, the computer will take me to the next screen that states "Welcome loading personal settings" and freeze at that point. I've let it set for more than 12 hours and nothing has changed.

Is it time to convert this thing to a boat anchor, or is it saveable?

Many thanks

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:10 AM

Posted 27 March 2009 - 06:46 AM

Hello,

Your computer is seriously infected and I must warn you we may not be able to completely clean it, but we will give it a try. Seems automated deletion will not go through here. We will try a manual approach, first we will need an updated DDS log.

ReScan

Please rescan with DDS and post DDS.txt
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:10 AM

Posted 31 March 2009 - 05:20 AM

Hello,

are you there?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#12 sdg

sdg
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 31 March 2009 - 01:13 PM

Hi Jat, Still here. The last time I logged onto the infected computer it took around six hours for the computer to get from entering my user password to the desktop screen. However, the desktop screen is there but when I put the cursor over the lower bar, the little hourglass icon shows up indicating that some program is running. This happened the second to the last time that I tried to log on. I let it sit for a few hours then turned the computer off using the main power switch (I could not use the normal windows log off routine). Since I last tried to log on, I've let the computer sit, with the hourglass icon on, for over three days now with no change.

I believe that it might be terminal. I'm considering buying a new hard drive and reloading windows and the other programs. My oldest son is rather upset cause he will end up losing over a thousand tunes.

Let me know if there is anything else I can try. Thanks very much for your help.

#13 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:10 AM

Posted 02 April 2009 - 05:49 AM

Hello this seems really bad indeed.

Our method of manual removal would take forever based on the description of problems you have given me. I therefore recommend you go ahead and reformat -- just make sure you back up all your important data.

Try going into Safe Mode when backing up data if normal mode is too slow or unresponsive.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#14 sdg

sdg
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 02 April 2009 - 12:06 PM

Hi Jat, Please walk me through the procedure for performing a safe mode start up. I'm not familiar with that. Thanks

#15 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:10 AM

Posted 03 April 2009 - 05:04 AM

Hey,

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users