Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirect and Blue Screen at Startup


  • This topic is locked This topic is locked
6 replies to this topic

#1 db76

db76

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 26 June 2009 - 10:11 AM

Hello,

A few days ago I started seeing that any clicks on Google search results were redirected to various other sites including "Coupon Mountain", realtor.com, and youtube advertisements.

I tried running Mcaffee's virus scan, spyware doctor, and MalwareBytes AntiMalware programs. Each of these found somthing. I've also starting getting the Blue Screen at startup. I believe this happened once a couple of weeks ago, but since I ran the above listed programs it has happened much more frequently. I get the Blue Screen at startup about 80 or 90% of the time. Occasionally it doesn't happen and I can get online. When it didn't happen this morning I got a dialog at startup which stated that the "system has recovered from a serious error" and gave the following error signature:

BCCode 100000d1 BCP1: E1D38000 BCP2: 00000002 BCP3: 00000000 BCP4: EECC9E85
OSVer5_1_2600 SP: 3_0 PRODUCT 256_1

I checked to see if there was a problem with the RAM (by pulling out each module independently), but this didn't stop the Blue screen from appearing.

It looks like my Memorex DVD player is not working now.

I would greatly appreciate any help you could offer.

Here is my DDS log


DDS (Ver_09-05-14.01) - NTFSx86
Run by db76 at 11:23:09.57 on 06/25/09
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.132 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swagent.exe
C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swstrtr.exe
C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swsoc.exe
C:\JRun4\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\JRun4\bin\jrunsvc.exe
C:\JRun4\bin\jrunsvc.exe
C:\JRun4\bin\jrun.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\JRun4\bin\jrun.exe
C:\JRun4\verity\k2\_nti40\bin\k2server.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\JRun4\verity\k2\_nti40\bin\k2index.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Autodesk\VIZ2008\mentalray\satellite\raysat_VIZ2008_32server.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/mywaybiz
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:8500/CFIDE/administrator/index.cfm
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
BHO: : {c1f2c975-27e1-4cf3-b35c-a1aa205ad1da} - c:\program files\netmeeting\hosecujyt43855.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~1\data\xtras\mssysmgr.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
mRun: [realtecs] "c:\documents and settings\db76\application data\google\fbabj220320.exe" 2
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat

7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common

files\autodesk shared\acstart17.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line

detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft

office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql

server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} -

c:\progra~1\spywar~1\tools\iesdpb.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A6A216EB-4F7C-11D5-8438-0000B456BA3D} - hxxps://as400sec.pct.edu/matn5250/matn5250.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web

folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\db76\applic~1\mozilla\firefox\profiles\bqug2oi3.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\db76\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitifffree.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: XUL Cache: {9FE98992-A0AD-4172-9A1A-DDF1AC08880C} - c:\documents and settings\db76\local

settings\application data\{9FE98992-A0AD-4172-9A1A-DDF1AC08880C}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-1 214024]
R2 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC

Agent;c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\web-inf\cfusion\db\slserver54\bin\swagent.exe

"coldfusion mx 7 odbc agent" -->

c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\web-inf\cfusion\db\slserver54\bin\swagent.exe ColdFusion MX 7

ODBC Agent [?]
R2 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC

Server;c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\web-inf\cfusion\db\slserver54\bin\swstrtr.exe

"coldfusion mx 7 odbc server" -->

c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\web-inf\cfusion\db\slserver54\bin\swstrtr.exe ColdFusion MX 7

ODBC Server [?]
R2 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;c:\jrun4\verity\k2\_nti40\bin\k2admin.exe

[2005-3-24 2732608]
R2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;c:\cfusionmx\db\slserver52\bin\swagent.exe "coldfusion mx

odbc agent" --> c:\cfusionmx\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program

files\firebird\firebird_1_5\bin\fbguard.exe -s --> c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s

[?]
R2 Macromedia JRun Admin Server;Macromedia JRun Admin Server;c:\jrun4\bin\jrunsvc.exe [2005-3-24 61440]
R2 Macromedia JRun CFusion Server;Macromedia JRun CFusion Server;c:\jrun4\bin\jrunsvc.exe [2005-3-24 61440]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe

[2008-9-28 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-31 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-1 144704]
R2 mi-raysat_VIZ2008_32;mental ray 3.5 Satellite for Autodesk VIZ 2008;c:\program

files\autodesk\viz2008\mentalray\satellite\raysat_VIZ2008_32server.exe [2007-3-7 65536]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program

files\firebird\firebird_1_5\bin\fbserver.exe -s --> c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s

[?]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-1 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-1 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-1 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-1 40552]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-1 34216]

=============== Created Last 30 ================

2009-06-25 11:01 359,893 a------- c:\temp\dds.scr
2009-06-25 10:36 45,056 a------- c:\windows\system32\msncache.dll
2009-06-24 09:20 <DIR> -cd-h---

c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-22 14:44 <DIR> --dsh--- c:\documents and settings\db76\PrivacIE
2009-06-22 12:06 <DIR> --dsh--- c:\documents and settings\db76\IETldCache
2009-06-22 04:45 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-22 04:45 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-22 04:45 <DIR> --d----- c:\windows\ie8updates
2009-06-22 04:41 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-22 04:36 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-17 10:51 7,700 a------- c:\windows\tn5250.tmp
2009-05-22 20:18 336 a------- c:\program files\temp995.bat
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 00:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 00:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 16:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 16:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 16:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 16:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 16:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 06:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 23:55 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 04:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-04-14 17:28 104,320 a------- c:\docume~1\db76\applic~1\GDIPFONTCACHEV1.DAT
2004-10-30 00:11 5,492,736 a------- c:\windows\inf\oem4097.exe
2008-09-14 06:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 11:26:35.95 ===============

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:15 PM

Posted 27 June 2009 - 06:23 PM

Hello db76,

Posted Image

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbup2: If McAfee still gives you problems, then you may have to temporarily uninstall it.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to fluffybunny.exe and try it again. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 db76

db76
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 28 June 2009 - 06:02 AM

Hi tea,

Thank you for your response. I have done as you suggested and am attaching the combofix log. You said to generate another HJT log. I have used DDS to create the "pseudo HJT log". I'm not sure if this is what you had in mind, but if not, let me know and I will correct it. I haven't yet rebooted the system to see if all is fine. I wanted to post this before I try to do that.

Thank you very much!

db76

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:15 PM

Posted 28 June 2009 - 04:55 PM

Hello,

My apologies for not giving you directions for HijackThis. I didn't mean to confuse you. :)

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Also have a scan with MBAM and post the report if it shows anything. How is it running now? You can reboot, if you haven't already.....no problem there. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 db76

db76
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 01 July 2009 - 12:25 PM

Tea,

Thank you very much for your help in this matter. The combofix appears to have cleaned up the google redirect problem and restored the funtionality of my DVD player. I also am no longer getting the blue screen at startup.

I ran the HiJackThis scan as you suggested it did find a couple of items.
c:\Qoobox\quarantine\C\WINDOWS\SYSTEM32\msncache.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{cca15f78-7193-4ca6-8115-2b570dd6546c}\RP1116\A0150273.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

I am attaching the combofix log, the hijackthis log and the MBAM log.

Thanks again. I really appreciate it!

db76

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:15 PM

Posted 01 July 2009 - 02:46 PM

Hello,

Very good to know, and you're most welcome. :)

The two files that MBAM found are all right.....not a threat to you. One was in System Restore and the other is in ComboFix's quarantine "Qoobox". We'll take care of those now:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Now MBAM and McAfee both should come up squeaky clean. :thumbup2:

It's really important that you update your Java, if you haven't already. Not only are they vulnerable, but all those useless old versions are taking up a huge amount of space on your hard drive. You will get back over a gig of space when you uninstall so may old versions.

Other than those things, I believe we're done unless you have questions. :)

Good info for you------> http://mvps.org/winhelp2002/unwanted.htm

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:15 PM

Posted 06 July 2009 - 06:58 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users