Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google being redirected


  • This topic is locked This topic is locked
16 replies to this topic

#1 medicman58

medicman58

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 25 March 2011 - 05:47 PM

Hi

I have a problem where google searches are being redirected to other sites. this has started a few days ago and is really annoying. I am running Windows XP and IE 8. I have macafee antivirus and have tried running spy-bot, ad aware, sophos rootkit to try and get rid of the problem. Unfortunately all to no avail. I have attached a hijack this log for your information. I hope you guys can help me with this.

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 26 March 2011 - 02:36 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 medicman58

medicman58
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 27 March 2011 - 07:37 AM

Hi Please find attached the DDS / Gmer logs as requested. thanks in advance for your help with this.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Pete at 11:42:22.10 on 27/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1517 [GMT 1:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Pete\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.co.uk/
uWindow Title = Packard Bell
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110322235550.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATIPTA] "c:\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-24 64512]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-23 84072]
R1 NEOFLTR_630_14715;Juniper Networks TDI Filter Driver (NEOFLTR_630_14715);c:\windows\system32\drivers\NEOFLTR_630_14715.sys [2009-9-24 64480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-23 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-23 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-23 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-23 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-23 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-23 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-23 141792]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-3-23 632792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-23 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-23 152960]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-23 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-23 88544]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-24 1405384]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\62.tmp --> c:\windows\system32\62.tmp [?]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-23 52104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-23 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-23 84264]
.
=============== Created Last 30 ================
.
2011-03-26 17:36:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-25 08:20:12 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-03-25 08:20:11 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-03-25 08:20:11 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-03-25 08:19:58 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-03-25 08:19:23 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-03-25 08:17:03 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-03-24 22:14:16 388096 ----a-r- d:\docume~1\pete\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-24 22:14:15 -------- d-----w- c:\program files\Trend Micro
2011-03-24 20:36:50 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-24 20:24:01 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-24 20:22:34 -------- dc-h--w- d:\docume~1\alluse~1\applic~1\{6A27DD32-7047-49DB-A679-BD2BD6B0BBD1}
2011-03-24 20:22:15 -------- d-----w- c:\program files\Lavasoft
2011-03-24 19:38:09 -------- d-----w- c:\windows\system32\scripting
2011-03-24 19:38:09 -------- d-----w- c:\windows\l2schemas
2011-03-24 19:38:08 -------- d-----w- c:\windows\system32\en
2011-03-24 19:38:08 -------- d-----w- c:\windows\system32\bits
2011-03-24 19:35:13 -------- d-----w- c:\windows\network diagnostic
2011-03-24 19:22:16 -------- d-----w- c:\windows\EHome
2011-03-24 15:01:55 -------- d-sh--w- d:\documents and settings\pete\IECompatCache
2011-03-23 22:10:32 6144 ------w- c:\windows\system32\6.tmp
2011-03-23 22:10:21 6144 ------w- c:\windows\system32\5.tmp
2011-03-23 21:19:04 -------- d-----w- c:\program files\Sophos
2011-03-23 20:23:40 -------- d-----w- d:\docume~1\pete\applic~1\Malwarebytes
2011-03-23 20:23:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 20:23:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 20:23:30 -------- d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-23 20:23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-23 19:31:42 -------- d-----w- c:\windows\pss
2011-03-23 19:25:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-23 19:25:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-23 19:16:20 93696 --sha-r- c:\windows\system32\rasadhlp6.dll
2011-03-23 19:06:54 -------- d-----w- d:\docume~1\pete\locals~1\applic~1\Adobe
2011-03-23 18:51:52 -------- d-----w- d:\docume~1\pete\applic~1\Registry Mechanic
2011-03-23 18:47:57 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2011-03-23 18:47:57 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-03-23 18:47:57 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2011-03-23 18:47:57 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2011-03-23 18:47:51 -------- d-----w- c:\program files\common files\PC Tools
2011-03-23 07:17:56 -------- d-----w- d:\documents and settings\pete\Citrix
2011-03-23 07:16:10 -------- d-----w- c:\program files\Juniper Networks
2011-03-23 07:15:45 -------- d-----w- d:\docume~1\pete\applic~1\Juniper Networks
2011-03-23 07:07:34 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 07:06:42 -------- d-----w- c:\windows\ShellNew
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 11:42:50.01 ===============

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 27 March 2011 - 12:59 PM

medicman58:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 medicman58

medicman58
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 27 March 2011 - 02:32 PM

Hi

I attempted to run combo fix which ran until stage 23 (i think) then the PC crashed displaying a blue screen. the following code was at the bottom of the screen:

STOP 0x000000ca (0x00000004, 0x8AADC770,0x00000000, 0x00000000.

I have not run combofix again

thanks.

#6 medicman58

medicman58
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 27 March 2011 - 02:39 PM

Hi

I have just realised that although I disabled my Macafee AV and firewall I had forgotten to disable ad-aware. would this have caused the crash? Many apologies

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 27 March 2011 - 02:43 PM

Hi,

Please boot into the Safe Mode and try it again.

Edited by RPMcMurphy, 27 March 2011 - 02:43 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 27 March 2011 - 02:45 PM

We cross posted, sorry. That could have been the trouble. You should uninstall one of those AVs anyhow. Running more than one AV program does not offer any more protection and often causes conflicts and slow downs with your computer.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 medicman58

medicman58
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 27 March 2011 - 03:10 PM

Hi

Successfully ran combofix in normal mode after disabling ad aware. Log file attached. thanks

Attached Files

  • Attached File  log.txt   9.7KB   1 downloads


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 27 March 2011 - 03:28 PM

medicman58:

We were cross posting there, so I just want to be sure you were clear on my earlier post about uninstalling either AdAware or McAfee.

Do you use a router? If so, what make/model (ie: Linksys WRT54G)? Please do this next:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • Router information
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 medicman58

medicman58
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 27 March 2011 - 03:49 PM

Hi

the router is HUAWEI Echolife HG521. I will remove ad ad aware from the pc. Malwarebytes did not find any infected files. Log below
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6186

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/03/2011 21:47:37
mbam-log-2011-03-27 (21-47-37).txt

Scan type: Quick scan
Objects scanned: 228035
Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 28 March 2011 - 09:24 AM

medicman58:

Are you still being redirected? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to this page.
  • Scroll down to where it says "Java Platform, Standard Edition."
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please download MiniToolBox and run it.

Check the following items:
  • Flush DNS
  • List content of Hosts
  • List IP configuration
Click Go and post the result (Result.txt).

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • Mini Toolbox log
  • ESET log
  • Are you still being redirected?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 medicman58

medicman58
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 28 March 2011 - 03:44 PM

Hi there,

Mini toolbox results below. currently no issues with redirects. Upon completion of the ESET AV it came up with 'no threats found' but I couldn't find a 'details' tab for the log file.

MiniToolBox by Farbar
Ran by Pete at 2011-03-28 20:21:15
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


================= Flush DNS: ==============================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


================= End of Flush DNS ========================================
=============== Hosts content: ============================================

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : 049325220061

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-14-85-48-56-41

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

192.168.1.1

Lease Obtained. . . . . . . . . . : 28 March 2011 20:19:22

Lease Expires . . . . . . . . . . : 29 March 2011 20:19:22

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.230.146, 74.125.230.145, 74.125.230.144, 74.125.230.147
74.125.230.148



Pinging google.com [74.125.230.146] with 32 bytes of data:



Reply from 74.125.230.146: bytes=32 time=29ms TTL=54

Reply from 74.125.230.146: bytes=32 time=27ms TTL=54



Ping statistics for 74.125.230.146:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 27ms, Maximum = 29ms, Average = 28ms

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70
67.195.160.76



Pinging yahoo.com [69.147.125.65] with 32 bytes of data:



Reply from 69.147.125.65: bytes=32 time=114ms TTL=52

Reply from 69.147.125.65: bytes=32 time=115ms TTL=52



Ping statistics for 69.147.125.65:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 114ms, Maximum = 115ms, Average = 114ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 14 85 48 56 41 ...... Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 28 March 2011 - 09:25 PM

medicman58:

Everything looks good, medicman58! Now I have anohter update and some very important cleanup for you to take care of:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • MiniToolBox
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 medicman58

medicman58
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 29 March 2011 - 10:46 AM

Hi

Everything works fine now and your recommended clean up is done. Many thanks for all your help with this it is much appreciated. I have sent a small donation, its not alot but I think everyone all put in a little bit if they can. By the way can i use TFC any time to clean out the temp files or is it a once only application?

Thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users