Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Internet Audio/ Search redirects


  • This topic is locked This topic is locked
18 replies to this topic

#1 frank1940

frank1940

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 13 January 2011 - 03:44 PM

I have a problem with a computer that is running Windows XP Professional. It is used by a home schooled student to attend on on-line school. Sometime on the afternoon of January 5, 2011, a popup appeared informing that his computer was infected. Unfortunately, he clicked on the popup and System Tool 2011 was installed.

When I got home, I did some on-line research and got that uninstalled. (At least, the banner is gone!) However, the computer still has issues.

1- It randomly plays music or commercials from the Internet. I can see the traffic via the Internet Connection status icon in the taskbar. These audio streams seem to last about thirty seconds to a minute. They occur about half hour to an hour apart. (Never really timed them…)

2- After doing a search on one of the search engines, clicking on URL will often get you a redirect another site which is usually completely unrelated to what you would expecting. I have actually seen messages in the URL bar indicating that this was happening.

The virus program on this computer is McAfee-Security-as-a-Service. I have also observed that when the computer is booting up, McAfee installs and then a taskbar balloon pops up stating that the McAfee is turned off. This condition lasts for about thirty seconds. The Internet connection icon indicates that there is traffic during this time.

I have spent a fair amount on time and effort attempting to clean up this computer and these are things which I have found:

First, I have run Malwarebytes Anti-Malware, HijackThis, rkill.com, Kaspersky CD Rescue Disk, and Avast free. Any problems these packages found have been fixed. I tried to run tdsskiller.exe but it won’t run. (It starts to initialize and terminates without a message.) Karpersky found (and removed) Trojan-Downloder.Java.openConnection.cf. However, the problems have continued after this was cleaned.

Second, I have found in Windows Task Manager that one or more instances of iexplore.exe is running even when I have never started IE. If I kill the process(es), it restarts within a few seconds. I have further observed that one of these processes will consume 4 to 8 percent of the CPU cycles when the Internet audio is playing.

Third, I made a search for files or folders created or modified on January 5th. There were only three files during the time period when System Tool 2011 was installed. Two of these are in C:\WINDOWS\system\drivers named sst1A3.sys and sst1A3.tmp. (Searching on-line did not produce any information on the .sys file which is suspicious.) The third file is CIO97ed609a-7540-46cb-94db-7ba590f8e222.tmp in C:\Program Files\McAfee\Managed Virus/scan\Vscan\Agent\Report. To date, I have done nothing with these three files.

I am requesting assistance to clean up this machine as a ‘reformat and reinstall’ is NOT an option.



DDS (Ver_10-12-12.02) - NTFSx86
Run by Parent at 14:34:50.82 on Thu 01/13/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1297 [GMT -5:00]

AV: McAfee® Security-as-a-Service Anti-virus *Enabled/Updated* {8C354827-2F54-4E28-90DC-AD391E77808C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Parent\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://www.k12.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110105072606.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [McAfee Managed Services Tray] c:\program files\mcafee\managed virusscan\desktopui\XTray.Exe
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1293042952796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.811.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2010-6-18 184888]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-12-6 434624]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-12 89528]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-5 158296]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-5 145424]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2010-12-6 291064]
R2 RumorServer;McAfee Peer Distribution Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2010-12-6 291064]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2002-12-31 44800]
R3 MfeAVFK;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-6 170912]
R3 MfeBOPK;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-6 59096]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-5 136176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-12 85760]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-12-6 34248]

=============== Created Last 30 ================

2011-01-13 00:59:07 -------- d-----w- c:\windows\system32\appmgmt
2011-01-11 12:19:16 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{1fcae9b4-5276-4a4c-8e9f-631ca091a329}\mpengine.dll
2011-01-09 00:29:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-01-08 22:20:13 -------- d-----w- C:\Jack
2011-01-07 22:25:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-07 15:26:42 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-01-07 15:26:40 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-05 20:44:37 -------- d-----w- c:\docume~1\parent\applic~1\Malwarebytes
2011-01-05 20:44:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-05 20:44:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-05 20:44:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-05 20:44:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-05 18:58:47 0 ----a-w- c:\windows\Byizilawetidalu.bin
2011-01-05 18:58:46 -------- d-----w- c:\docume~1\parent\locals~1\applic~1\{85B03758-E408-4705-936A-6127AB755D82}
2011-01-05 18:36:19 53248 ----a-w- c:\windows\system32\drivers\sst1A3.sys
2011-01-05 18:36:19 0 ----a-w- c:\windows\system32\drivers\sst1A3.tmp
2011-01-05 18:35:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\cEhLn06504
2011-01-05 15:26:44 -------- d-----w- c:\docume~1\parent\locals~1\applic~1\Temp
2011-01-05 15:26:35 -------- d-----w- c:\docume~1\parent\locals~1\applic~1\Google
2011-01-05 12:26:06 71240 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2011-01-05 12:26:06 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
2011-01-05 12:26:05 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-01-05 12:26:00 145424 ----a-w- c:\windows\system32\mfevtps.exe
2011-01-05 12:25:58 -------- d-----w- c:\program files\common files\McAfee
2010-12-29 12:59:09 -------- d-sh--w- c:\documents and settings\parent\IECompatCache
2010-12-25 21:42:53 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-25 21:42:53 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-12-22 20:05:48 -------- d-sh--w- c:\documents and settings\parent\PrivacIE
2010-12-22 20:04:30 -------- d-sh--w- c:\documents and settings\parent\IETldCache
2010-12-22 19:46:42 -------- d-----w- c:\docume~1\parent\locals~1\applic~1\AOL
2010-12-22 19:46:37 -------- d-----w- c:\program files\common files\Software Update Utility
2010-12-22 19:46:24 -------- d-----w- c:\program files\common files\AOL
2010-12-22 19:39:18 -------- d-----w- c:\docume~1\parent\locals~1\applic~1\Yahoo
2010-12-22 19:37:52 -------- d-----w- c:\windows\ie8updates
2010-12-22 19:37:19 -------- d-----w- c:\program files\Yahoo!
2010-12-22 19:36:45 -------- dc-h--w- c:\windows\ie8
2010-12-22 19:35:13 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-12-22 19:34:43 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-12-22 19:34:42 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-22 19:34:42 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 14:41:52.28 ===============

This file did not get attached in my first message

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 13 January 2011 - 07:07 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:05 PM

Posted 14 January 2011 - 12:12 AM

Hello frank1940 ,

Posted Image

Navigate to this folder and delete it : c:\documents and settings\allusers\application data\cEhLn06504


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If McAfee gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with McAfee. <_<

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to frank.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 frank1940

frank1940
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 14 January 2011 - 09:27 AM

I followed your instructions. Deleted the eEhLno6504 file.

I did not uninstall McAfee at this point. I did find a way to disable it. Unfortunately I did not realize that ComboFix would reboot the machine (twice) as part of its process. Of course, I don't know if McAfee came back active after the reboots.

Early in the process, ComboFix detected a rootkit and did reboot.

It took close to an hour to run the entire process.

I have attached the ComboFix.txt file.

The problem is still not fixed. I still have the Internet Audio playing randomly and redirects from search engines are still an issue.

Thanks for all your help in resolving this problem.

Frank

PS: I live in Columbus, Ohio.

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:05 PM

Posted 14 January 2011 - 10:54 AM

Well howdy neighbor! :wink:

You're welcome. :)

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
FCOPY::
c:\windows\ServicePackFiles\i386\msgsvc.dll | c:\windows\system32\msgsvc.dll
File::
c:\windows\system32\drivers\sst1A3.sys
c:\windows\Byizilawetidalu.bin
Driver::
sst1A3
Folder::
c:\documents and settings\All Users\Application Data\cEhLn06504


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Again, let me know how it's running after that. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 frank1940

frank1940
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 14 January 2011 - 02:38 PM

Hi tea ----

I have done as you requested. The ComboFix.txt file is attached.

Early in the process, I got a pop-up notice that an update to Combofix was available. I clicked on "yes" and allowed the update. (ComboFix did indicate that it was processing a download. Am I correct in assuming that this is normal behavior?

When everything was almost finished ComboFix rebooted the machine. McAfee is disabled (a Taskbar balloon pops up to notify me of this) for a good portion of the boot process and the random audio play did occur during this period.

I did notice random Network activity without audio during the time ComboFix was running. This computer is NOT a part of any computer network other than the Internet. I could easily disconnect it from the Network entirely. (I worry about the Trojan repairing itself.) The contaminated machine is NOT being used for anything other than running the cleaning and repair programs under your guidance. I am using a different computer to do everything including file download and posting to the Forum. I move the files back and forth using an USB stick.

Frank

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:05 PM

Posted 19 January 2011 - 03:27 PM

Hello,

I apologize for my absence. :(

How is it running now please? I'd like to have a scan with an updated MBAM, please, and the report posted, if there is anything to report. :)

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 frank1940

frank1940
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 19 January 2011 - 04:52 PM

Tea ----

I posted you a PM a bit earlier this afternoon.

I have run MBAM as you requested. Nothing was found to be inflected. I have not heard any random Audio playing in the close to an hour the computer has been on. I do not see any iexplorer processes runing in Task Manager. So that is an improvement.

However, I am still getting redirects on searches. Almost any search results in a website that I don't want to visit. Some of them have popups that refuse to close and require 'killing' IE with Task Manager.

Since I still have the problem with redirects, I have not removed ComboFix. IF you still want me to so so, please let me know.

Frank

The MBAM log follows:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5556

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/19/2011 4:09:27 PM
mbam-log-2011-01-19 (16-09-27).txt

Scan type: Full scan (C:\|)
Objects scanned: 182119
Time elapsed: 20 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:05 PM

Posted 19 January 2011 - 04:54 PM

I got your PM. :)

Do you use a router? Yes, I really want you to uninstall ComboFix. It's updated very often, so the version you have is old now, by our standards. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 frank1940

frank1940
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 19 January 2011 - 05:41 PM

Tea---

Interesting. I uninstalled ComboFix and rebooted. When I rebooted, there was a notification From the Taskbar that a 100Mbps connection was available. Within a few seconds, I got one of the random audio plays from the Internet. The iexplorer processes are now popping up in Task Manager within a few seconds after I kill the previous one. I should also say that I did not plug in the Internet connection until after the machine had booted earlier this afternoon.

Yes, I have a router-- A Netgear RP614 v4

Looks like we still have a lot of work to do...

Frank

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:05 PM

Posted 19 January 2011 - 06:23 PM

A test.....disconnect from the router and go straight to the wall with it and tell me if you're still redirected.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 frank1940

frank1940
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 19 January 2011 - 07:01 PM

Tea ----

I disconnected from the Router and connected straight (using only the modem) to the Internet. Both Internet audio played and I had the redirect problem in the couple of minutes that I was connected directly to the modem. One of the redirects was to an 213.174.184.4 IP address--- it actually appeared on the IE browser URL bar.

By the way, I have had four other computers that are connected (today) via the same switch, router and modem setup and this computer is the only one with any issues. So I do doubt that I have a LAN problem or router problem. I have checked the router setup and the DNS service is being provided by my ISP (Insight Road Runner-- Part of my cable service). I do not have any information on how to access the modem to see what settings it has but I doubt if there could be a problem there.

Frank

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:05 PM

Posted 19 January 2011 - 07:49 PM

Excellent info, thank you! :thumbup2: The more I have the better I can do.

Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter. You'll get a confirmation that the flush was successful.

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make ReadOnly?".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Let me know if that helps. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 frank1940

frank1940
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 19 January 2011 - 08:32 PM

Tea ----

I flushed the DNS Cache as directed and run HostsXpert.exe to replace the MS Hosts file. Both problems still are present. I first checked to see if the problems were fixed (they weren't) and then rebooted. Both problems are still there after the reboot. I even tried flushing again without success.

I have also observed that when I click on a search result to go to the desired site, two to four URL's will pop up on the browser address bar before the final site loads.

I get the same action if I enter the search string in the Search Tool Bar or entering the www.google.com on the Address Bar after which I enter the search string directly on Google's webpage.

I did double check the MS Hosts file and it is still 'read only'.

Frank

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:05 PM

Posted 19 January 2011 - 08:39 PM

Hi Frank,

Again, thank you for the info, it really does help.

Let's get an updated ComboFix and see what might be new in it. :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If McAfee gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with McAfee. <_<

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to frank.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 frank1940

frank1940
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 19 January 2011 - 10:13 PM

Tea ---

Ran ComboFix.exe and it did find an inflected file.

The Internet Audio problem was still there after ComboFix finished.

A short test seems to indicate that searches are not being redirected.

I have attached the ComboFix.txt file.

Thanks for all your help today!!!

FrankAttached File  ComboFix.txt   12.86KB   3 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users