Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware redirects selection from search engines


  • This topic is locked This topic is locked
18 replies to this topic

#1 boyerll

boyerll

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 16 April 2011 - 12:27 PM

When I use any search engine, Google, Bing, etc., the results page opens alright. However when an item on the results page is selected, frequently the referenced IP address is not displayed, but the results are redirected to another page that contains similar information. Highlighting the IP address on the seach engine results page and then pasting it to the http line will usually direct the browser to the correct page. However, often, Explorer or Firefox will return an "error" page and will not connect with the desired site.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Compaq_Owner at 15:18:51.12 on Fri 04/15/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1076 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Reader\MSReader.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\EPYY89K9\dds[1].scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.my.yahoo.com/
uSearch Page =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant =
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110316221814.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [nwiz] nwiz.exe /install
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.199\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: $talisma_url$
Trusted Zone: army.mil\aprs.redstone.amedd
Trusted Zone: bfasystems.com\mail
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: penfed.org\www
Trusted Zone: redfcu.org\www
Trusted Zone: redfcuonline.org\www
Trusted Zone: usaa.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258343277385
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {1C82A4D5-0F16-4101-BCF8-37C5E6A81523} = 205.152.37.23,205.152.132.23
TCP: {C3D04492-FF91-4385-9785-9116714A45A9} = 205.152.37.23,205.152.132.23
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\7qt38b87.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 28091
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\compaq_owner\application data\mozilla\firefox\profiles\7qt38b87.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-16 84072]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\belkin\belkin wireless network utility\WLService.exe [2005-1-2 49152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-16 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-16 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-16 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-16 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-16 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-16 141792]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-11-8 237568]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2010-11-8 1060352]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2010-11-8 484352]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-16 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-16 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-16 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-16 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-16 88544]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-23 136176]
S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-16 271480]
S2 Simple;VadisRunOnce;c:\volvo\startup\VadisRunOnce.exe [2010-11-12 24576]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [2005-1-2 140416]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.199\McCHSvc.exe [2011-2-23 237008]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-16 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-16 84264]
S3 Normandy;Normandy SR2; [x]
.
=============== Created Last 30 ================
.
2011-04-08 03:44:19 150016 --sha-r- c:\windows\system32\dpwsockx9.dll
2011-04-08 03:43:54 163840 ----a-w- c:\windows\Rhuhoa.exe
2011-03-24 20:05:59 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\Motive
2011-03-22 04:06:23 -------- d-----w- c:\docume~1\compaq~1\applic~1\WinBatch
2011-03-17 03:18:14 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2011-03-17 03:18:10 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-03-17 03:17:37 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-03-17 03:17:37 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-03-17 03:17:37 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-03-17 03:17:37 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-03-17 03:17:37 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-03-17 03:17:37 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-03-17 03:17:36 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-03-17 03:17:26 -------- d-----w- c:\program files\common files\Mcafee
2011-03-17 03:17:25 -------- d-----w- c:\program files\McAfee.com
2011-03-17 03:16:43 -------- d-----w- c:\program files\McAfee
2011-03-17 02:54:22 141792 ----a-w- c:\windows\system32\mfevtps.exe
.
==================== Find3M ====================
.
2011-03-13 17:31:42 600802 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-02-12 18:28:40 546256 ---ha-r- c:\windows\system32\SZComp5.dll
2011-02-12 18:28:40 452048 ---ha-r- c:\windows\system32\SZBase5.dll
2011-02-12 18:28:40 22992 ---ha-r- c:\windows\system32\SZIO5.dll
2011-02-12 18:28:40 132560 ---ha-r- c:\windows\system32\IS3HTUI5.dll
2011-02-12 18:28:38 99792 ---ha-r- c:\windows\system32\IS3Svc5.dll
2011-02-12 18:28:38 99792 ---ha-r- c:\windows\system32\IS3Inet5.dll
2011-02-12 18:28:38 67024 ---ha-r- c:\windows\system32\IS3Hks5.dll
2011-02-12 18:28:38 398800 ---ha-r- c:\windows\system32\IS3DBA5.dll
2011-02-12 18:28:38 390608 ---ha-r- c:\windows\system32\IS3UI5.dll
2011-02-12 18:28:38 28624 ---ha-r- c:\windows\system32\IS3XDat5.dll
2011-02-12 18:28:36 738768 ---ha-r- c:\windows\system32\IS3Base5.dll
2011-02-12 18:28:36 230864 ---ha-r- c:\windows\system32\IS3Win325.dll
2011-02-09 13:53:52 270848 ---ha-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ---ha-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ---ha-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ---ha-w- c:\windows\system32\shimgvw.dll
2005-09-23 21:14:43 774144 ---ha-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 15:20:59.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 16 April 2011 - 09:02 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Posted Image P2P - I see you have P2P software (Vuze) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 boyerll

boyerll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 22 April 2011 - 02:51 PM

Followed instructions and ran Combofix. Combofix took about 15 minutes, then got a box that told me it deleted a dozen or so files and a dozen or so folders. Box then said report being produced, do not run any programs, etc while report being produced. Box ran for about 15 minutes, had to move mouse to keep screen refreshed, but no data appeared in box after warning statement. Finally box disappeared. Let computer run for another 20 minutes with no indication Combofix was doing anything, i.e. no hourglass next to polnter. Finally opened Internet Explorer to create this message.

Also, thanks for not deactivating my post. Am a neophyte at this so have sort of stumbled about the web site before I found my post and the attached assist.

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 22 April 2011 - 03:52 PM

Hello,

This should open that ComboFix log back up:

Posted Image Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:
c:\ComboFix.txt

Please post it for me (or let me know if it doesn't open).

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 boyerll

boyerll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 23 April 2011 - 12:47 PM

Typed, then cut and pasted c;|ComboFix.txt into the run window. No file opened, Message box appears that says Windows cannot find 'c:\ComboFix.txt". Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

#6 boyerll

boyerll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 23 April 2011 - 01:03 PM

Stumbling through here. Ran Windows Search for ComboFix.txt file and found the attached. Do not know why using the run program did not work.Attached File  ComboFix.txt   5.43KB   2 downloads

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 23 April 2011 - 04:51 PM

Hi,

Are you certain that is the entire log? A large part of it is missing.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 boyerll

boyerll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 23 April 2011 - 09:05 PM

Believe this is all of the file that is on the machine. Shall I run Combofix again and try for a complete log?

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 23 April 2011 - 09:20 PM

Yes, please try that.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 boyerll

boyerll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 23 April 2011 - 10:41 PM

Ran Combofix again and got a text file, which is appended.

Attached Files



#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 24 April 2011 - 10:19 AM

boyerII:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Firefox::

Firefox::
FF - ProfilePath - C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\7qt38b87.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 28091
FF - prefs.js: network.proxy.type - 0

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 boyerll

boyerll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 26 April 2011 - 12:42 PM

Apologies for the delay. Malwarebytes crashed after about 20 hours the first time I ran it. Second run was successful after 23.5 hours. Found and removed 3 infected files. Combofix and Malwarebytes logs appended. Appreciate your help and time.

Attached Files



#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 26 April 2011 - 05:02 PM

boyerII:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to this page.
  • Scroll down to where it says "Java Platform, Standard Edition."
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • How is your computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 02 May 2011 - 09:54 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 boyerll

boyerll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 04 May 2011 - 11:29 AM

Malware was redirecting my search engine to other sites from the search result page. RPMcMurphy was providing most able assistance and we arrived at a point where the malware seemed to be removed and the computer is running fine. RP requested an ESET scan and a post of the results, without removing the infected files. Results of the scan are:

C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP12\A0002897.dll Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP15\A0004024.dll a variant of Win32/Kryptik.LXF trojan
K:\WD SmartWare.swstor\LLIIICOMPUTER\Volume.cf4f07b1.5cfb.11d9.aefa.806d6172696f\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application.

Unfortunately my original post was closed due to length of time responding. I am in north Alabama and we have been through some rather difficult weather and had no power for the last several days, hence the no response in a timely manner. Any assistance would be appreciated and my special thanks to RP for his help this far.









0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users