Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Gen.2, Whitesmoke and Browser Redirect


  • This topic is locked This topic is locked
17 replies to this topic

#1 wmgsmom

wmgsmom

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 02 February 2011 - 01:04 AM

I have been having many problems with malware, etc., which we first notices was by browser redirect. I have used Malware Bytes (recommended by our IT guy at work) Symantec is already installed on the computer I have, as it is an old office computer. I have been searching the internet for help as no matter what I do, the redirect keeps reoccuring. Something is hidden somewhere....

I have backed up my computer, and hope that the problem isn't lurking in the backup also.

I attach my Hijackthis log.

Thank you for your assistance.

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 05 February 2011 - 09:27 PM

Hello and welcome. I apologize for the delay. If you no longer need help with this issue, we would appreciate you letting us know. Otherwise, please perform the following steps so I can have a look at the current condition of your machine. I realize that you have already posted logs, but because of the time that has passed I'd like a fresh set.

Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 wmgsmom

wmgsmom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 06 February 2011 - 03:43 PM

Thank you for our help. I attach/post the requested items. I was unable to do this on the infected computer so I had to do it though my husband's laptop.

Here are the two posts:


DDS (Ver_10-12-12.02) - NTFSx86
Run by teresa at 22:55:15.81 on Sat 02/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.182 [GMT -8:00]

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1283578264\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\AOL 9.5\waol.exe
C:\Program Files\AOL 9.5\shellmon.exe
C:\Documents and Settings\teresa\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.5\AOL.EXE" -b
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Abacus msgs] "j:\msgs.exe" /"j:\"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HostManager] c:\program files\common files\aol\1283578264\ee\AOLSoftware.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\teresa\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: bankofamerica.com\www
Trusted Zone: eppicard.com\www
Trusted Zone: yahoo.com\login
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://192.168.1.51:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.1.51:4343/officescan/console/ClientInstall/setup.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://192.168.1.51:4343/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283065522994
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283065513650
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl9f65afeb;MpKsl9f65afeb;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{08895c7b-5a68-41e9-be7b-7a24d3f7b4c1}\MpKsl9f65afeb.sys [2011-2-5 28752]
S1 MpKsl8d776ae7;MpKsl8d776ae7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dc0fc748-67cc-4ad7-a012-b09e7c3c0d72}\mpksl8d776ae7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dc0fc748-67cc-4ad7-a012-b09e7c3c0d72}\MpKsl8d776ae7.sys [?]
S1 MpKsl9ec4a781;MpKsl9ec4a781;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dc0fc748-67cc-4ad7-a012-b09e7c3c0d72}\mpksl9ec4a781.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dc0fc748-67cc-4ad7-a012-b09e7c3c0d72}\MpKsl9ec4a781.sys [?]
S1 MpKslbffd77e6;MpKslbffd77e6;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dc0fc748-67cc-4ad7-a012-b09e7c3c0d72}\mpkslbffd77e6.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dc0fc748-67cc-4ad7-a012-b09e7c3c0d72}\MpKslbffd77e6.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]

=============== Created Last 30 ================

2011-02-05 21:43:25 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{08895c7b-5a68-41e9-be7b-7a24d3f7b4c1}\MpKsl9f65afeb.sys
2011-02-05 21:42:40 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-02-05 21:40:28 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{08895c7b-5a68-41e9-be7b-7a24d3f7b4c1}\mpengine.dll
2011-02-05 21:40:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-04 18:46:27 54016 ----a-w- c:\windows\system32\drivers\jgcqxaid.sys
2011-02-03 15:26:49 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-02 05:33:15 388096 ----a-r- c:\docume~1\teresa\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-02 05:33:13 -------- d-----w- c:\program files\Trend Micro
2011-02-02 04:42:21 -------- dc-h--w- c:\windows\ie8
2011-02-01 06:48:28 -------- d-----w- c:\program files\CCleaner
2011-02-01 06:00:16 -------- d-----w- c:\windows\system32\NtmsData
2011-01-29 03:37:24 -------- d-----w- c:\docume~1\teresa\locals~1\applic~1\Mozilla
2011-01-29 03:23:39 -------- d-----w- c:\docume~1\teresa\applic~1\MSNInstaller
2011-01-28 07:12:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-01-28 07:12:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-01-28 07:12:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-01-28 07:12:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-01-28 07:12:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-01-28 07:12:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-01-28 07:12:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-01-28 05:28:07 -------- d-----w- c:\windows\system32\%APPDATA%
2011-01-28 01:47:48 54016 ----a-w- c:\windows\system32\drivers\xxphp.sys
2011-01-28 00:56:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-28 00:56:40 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-08 18:03:11 -------- d-----w- c:\docume~1\teresa\locals~1\applic~1\IsolatedStorage
2011-01-08 18:01:24 -------- d-----w- c:\program files\TurboTax

==================== Find3M ====================

2010-11-30 01:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

============= FINISH: 22:56:07.35 ===============

AND


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-06 11:54:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD800JB-00JJA0 rev.05.01C05
Running: 8dccefq2.exe; Driver: C:\DOCUME~1\teresa\LOCALS~1\Temp\kwddipow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----


The attachment is attached as requested.

Thanks again!

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 06 February 2011 - 11:43 PM

wmgsmom:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 wmgsmom

wmgsmom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 07 February 2011 - 09:26 PM

Hey there. I have downloaded Combofix and diabled Microsoft Security Essentials. Symantic wouldn't work anymore so I deleted it. However, Combofix tells me that Symantic is running. Should I go ahead and run Combofix? I do not know what processes are associated with Symantic after uninstall, etc. If ok to proceed with Combofix, I will do so and post the results. Also, I am having problems signing into this website from the infected computer.

Thank you.

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 07 February 2011 - 10:38 PM

I don't see any Symantec processes running, so let ComboFix run, please.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 wmgsmom

wmgsmom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 07 February 2011 - 10:58 PM

Will do and will post asap. Thanks again.

#8 wmgsmom

wmgsmom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 07 February 2011 - 11:42 PM

Attached is the Combofix log.

Thank you.Attached File  combofix.txt   14.34KB   3 downloads

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 08 February 2011 - 02:14 PM

wmgsmom:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://www.bleepingcomputer.com/forums/topic377096.html
File::
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0DBE8948-A5FC-4650-AC74-E796113D1E2E}\MpKsl46d15472.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5038F7EF-156E-417C-849F-2035C9FCAD8C}\MpKsl520bc3e6.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC0FC748-67CC-4AD7-A012-B09E7C3C0D72}\MpKsl8d776ae7.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC0FC748-67CC-4AD7-A012-B09E7C3C0D72}\MpKsl9ec4a781.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC0FC748-67CC-4AD7-A012-B09E7C3C0D72}\MpKslbffd77e6.sys
Driver::
MpKsl46d15472
MpKsl520bc3e6
MpKsl8d776ae7
MpKsl9ec4a781
MpKslbffd77e6
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>;*.local
Collect::
c:\windows\system32\drivers\jgcqxaid.sys
SecCenter::
{FB06448E-52B8-493A-90F3-E43226D3305C}

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 wmgsmom

wmgsmom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 09 February 2011 - 11:40 AM

Attached File  combofix 2.8.11.txt   13.36KB   2 downloads
Attached File  mbam-log-2011-02-09 (07-07-40).txt   907bytes   1 downloads
Hi there. Attached is the new combofix file and the Malwarebytes log. Malwarebytes did not give me the options at the end of the scan, as it found nothing. I still have all the Whitesmoke stuff it previously found in quarantine. When Combfix ran, it had me upload a file for further research. It was only an upload link, so I do not attach it here. The file that I was instructed to click on was called: CF-Submit.htm. The file path for the upload was: c:\Qoobox\Quarantine\[4]-Submit_2011-02-08_22.40.51.zip

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 09 February 2011 - 03:26 PM

wmgsmom:

How is the computer running now? Please do this next:

Posted Image Click Start > Run or Press the Windows Key + R. copy and paste the following text into the run box that opens and press OK:
C:\Qoobox\Add-Remove Programs.txt

Post the contents of the text file that opens in your next reply.

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • ESET log
  • How is the computer running now?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 wmgsmom

wmgsmom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 09 February 2011 - 10:08 PM

Attached File  log.txt   1.51KB   1 downloads

Hi there. ESET found nothing. I attach the log.

The computer seems to be significantly faster, and is no longer experiencing search redirects or unwanted IE windows. The only problem I still have is that I am unable to log into some websites, like bleepingcomputer.com from the affected computer. I am still using the laptop to reply. I have checked settings but can't find anything that seems to control website logon.

What should I do with the Whitesmoke quarantined items in Malwarebytes?

Thank you.

#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 10 February 2011 - 01:25 PM

wmgsmom:

Please go to this page click on the "Microsoft Fix it" icon and follow the prompts. Let me know if you still can't reach web pages after doing that.

Once you've done that please run DDS again and post the DDS.txt log for me.

Do you use a router? If so, what make/model (ie: Linksys WRT54G)?

Please include the following in your next post:
  • Are you still unable to reach certain pages?
  • DDS.txt log
  • Router information

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 wmgsmom

wmgsmom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 11 February 2011 - 02:06 AM

I can now sign into the websites that I wasn't able to before.

I attach the DDS file.

I do not use a router at home.

Thank you.

Attached Files



#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 11 February 2011 - 06:34 PM

wmgsmom:

Your logs look good. You can clear those WhiteSmoke detections from the MBAM quarantine by opening MBAM and selecting the Quarantine tab. Once there, press the Delete All button and confirm any prompts.

I have an update and some very important cleanup for you to take care of now:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please visit this General Computer Security Forum and review this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users