Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web Browser Redirect


  • This topic is locked This topic is locked
17 replies to this topic

#1 Shekky

Shekky

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 19 April 2011 - 01:37 PM

I had a friend - software engineer help me w/ the rest & getting the log, so sorry if the description is not the best.

Problem: I was being redirected when I clicked on links. It would occur approximately every 3rd link click.
Google links seemed to be the worst. I think I got it on Google when I clicked on a link to "The Pit" BBQ restaurant in Raleigh, NC because AVG went nuts. (Entering web addresses in the address bar was not affected. No redirects when entering directly in the bar.)
Redirecting occurred in multiple browsers even after uninstalling & reinstalling. AVG Free did not block the redirects. While running Titanium Antivirus, it would try to redirect, but would get blocked, so that nothing would populate. I'd end up with a blank page. It brought me to the page for Tazinga multiple times, but would direct me to other ad pages as well. (Originally, AVG Free was running when Virus/issue began. I ran scans w/ Lavasoft's Ad-Aware & AVG to get rid of what I could on the computer. Friend gave me Titanium Antivirus. When I installed that, it made me uninstall Ad-Aware. While running Titanium, The whole computer died & would not launch Windows. Stuck in Hibernation -I think. Friend got Windows working, uninstalled Anti-virus software, & Ran scans & Combo fix.)

During the Combo Fix run, something regarding a Root Kit was mentioned & Browsing has improved after running Combo Fix.

Copy of the Combo Fix Log:

ComboFix 11-04-18.02 - Angela Shek 04/19/2011 1:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1710 [GMT
-4:00]
Running from: c:\documents and settings\Angela Shek\My
Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated*
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Angela Shek\Application Data\Adobe\plugs
c:\documents and settings\Angela Shek\Application Data\Adobe\shed
c:\documents and settings\Angela Shek\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\Angela Shek\WINDOWS
c:\windows\jestertb.dll
c:\windows\system32\twain.dll
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-03-19 to 2011-04-19
)))))))))))))))))))))))))))))))
.
.
2011-04-19 05:45 . 2011-04-19 05:46 -------- d-----w- C:\32788R22FWJFW
2011-04-19 05:08 . 2011-04-19 05:08 -------- d-----w- c:\documents and
settings\Angela Shek\Application Data\Uniblue
2011-04-19 05:08 . 2011-04-19 05:08 -------- dc-h--w- c:\documents and
settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
2011-04-19 05:08 . 2011-04-19 05:08 -------- d-----w- c:\program
files\Uniblue
2011-04-19 05:08 . 2011-04-19 05:08 -------- d-----w- c:\documents and
settings\Angela Shek\Local Settings\Application Data\PackageAware
2011-04-19 04:27 . 2011-04-19 04:27 -------- d-----w- c:\program
files\Fiddler2
2011-04-19 00:54 . 2011-04-19 00:54 1409 ----a-w- c:\windows\QTFont.for
2011-04-10 17:48 . 2011-04-19 01:13 -------- d-----w- c:\documents and
settings\All Users\Application Data\Trend Micro
2011-04-09 22:27 . 2011-04-09 22:27 -------- d-sh--w- c:\documents and
settings\Angela Shek\IECompatCache
2011-04-09 14:32 . 2011-04-09 14:32 -------- d-----w- c:\documents and
settings\Angela Shek\Application Data\DVDVideoSoftIEHelpers
2011-04-09 14:32 . 2011-04-09 14:33 -------- d-----w- c:\program
files\Common Files\DVDVideoSoft
2011-04-09 14:32 . 2011-04-09 14:32 -------- d-----w- c:\program
files\DVDVideoSoft
2011-04-07 22:06 . 2011-04-07 22:06 -------- d-----w- c:\documents and
settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-07 22:06 . 2011-04-07 22:06 -------- d-----w- c:\documents and
settings\NetworkService\Application Data\Apple Computer
2011-04-05 10:57 . 2011-04-05 10:57 -------- d-sh--w- c:\documents and
settings\NetworkService\IETldCache
2011-03-27 22:44 . 2011-03-27 22:44 -------- d-----w- c:\documents and
settings\Angela Shek\Local Settings\Application Data\Intuit
2011-03-27 22:43 . 2011-03-27 22:43 -------- d-----w- c:\documents and
settings\Angela Shek\Application Data\Intuit
2011-03-27 22:37 . 2011-03-27 22:37 -------- d-----w- c:\documents and
settings\Angela Shek\Local Settings\Application Data\IsolatedStorage
2011-03-27 22:35 . 2011-03-27 22:35 -------- d-----w- c:\program
files\TurboTax
2011-03-27 22:35 . 2011-03-27 22:41 -------- d-----w- c:\documents and
settings\All Users\Application Data\Intuit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 21:34 . 2008-06-21 21:34 7496920 ----a-w- c:\program
files\Firefox Setup 3.0.exe
2011-03-18 17:53 . 2011-04-11 02:53 142296 ----a-w- c:\program
files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe"
[2011-03-14 67456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05
1468256]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft
Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken
Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat
Assistant 8.0]
2011-01-21 18:03 624056 ----a-w- c:\program files\Adobe\Acrobat
8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis
Scheduler2 Service]
2007-02-16 22:49 149024 ----a-w- c:\program files\Common
Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-02-16 22:57 1945960 ----a-w- c:\program
files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe
ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe
Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader
8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe_ID0EYTHM]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 00:03 152872 ----a-w- c:\program files\Common
Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\BrStsWnd]
2008-01-08 13:28 864256 ------w- c:\program files\Brownie\BrStsWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX
Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\iTunesHelper]
2008-02-19 18:10 267048 ----a-w- c:\program
files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\LogitechCommunicationsManager]
2008-02-13 17:02 564496 ----a-w- c:\program files\Common
Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-02-13 17:06 2196240 ----a-w- c:\program
files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common
Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 13:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\NvMediaCenter]
2009-01-15 13:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
2008-02-01 04:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RegistryBooster]
2011-03-14 15:31 67456 ----a-w- c:\program
files\Uniblue\RegistryBooster\Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 21:05 15026056 ----a-r- c:\program
files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-17 00:47 1242448 ----a-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common
Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-02-25 20:18 68856 ----a-w- c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-02-16 22:45 1169776 ----a-w- c:\program
files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MDM"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avgwd"=2 (0x2)
"AVGIDSAgent"=2 (0x2)
"AVG Security Toolbar Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Amsp"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"AcrSch2Svc"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"CCALib8"=2 (0x2)
"NBService"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue
CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Games\\Quake III
Arena\\quake3.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\7 wonders 2\\Wonders2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\pizza frenzy\\PizzaFrenzy.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle
extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle nights\\PeggleNights.exe"=
"c:\\Program Files\\Steam\\steamapps\\angelashek\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization
iv\\Civilization4.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\civilization iv
colonization\\Colonization.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv beyond
the sword\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv
warlords\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv
warlords\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\worms
reloaded\\WormsReloaded.exe"=
"c:\\Program
Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dinertown tycoon\\DinerTown
Tycoon.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/10/2010 5:30 PM 64288]
S2 mrtRate;mrtRate; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program
files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program
files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program
files\Google\Update\GoogleUpdate.exe [2/26/2010 11:24 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2010-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-04-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
[2008-02-25 20:16]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 15:23]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 15:23]
.
2010-08-09 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-11-05 20:35]
.
2011-04-19 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2011-03-14 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\documents and settings\Angela
Shek\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\Google\Google
Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Angela Shek\Application
Data\Mozilla\Firefox\Profiles\mpw3o75f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL -
hxxp://search.avg.com/route/?d=4cbcd768&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-Trend Micro Client Framework - c:\program files\Trend
Micro\UniClient\UiFrmWrk\UIWatchDog.exe
MSConfigStartUp-Trend Micro Titanium - c:\program files\Trend
Micro\Titanium\UIFramework\uiWinMgr.exe
AddRemove-NeroVision!UninstallKey - c:\windows\UNNeroVision.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-04-19 02:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1801674531-1303643608-839522115-1003\Software\SecuROM\License
information*]
"datasecu"=hex:e9,c5,c1,91,88,06,4f,d5,6b,bb,4e,b6,7b,07,1f,72,8f,6f,33,22,3c,
4e,47,79,2a,83,5d,4f,21,78,82,c1,a4,99,2d,5e,92,9d,33,98,8b,5c,43,ef,3f,67,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Uniblue\RegistryBooster\registrybooster.exe
.
**************************************************************************
.
Completion time: 2011-04-19 02:25:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-19 06:25
.
Pre-Run: 244,342,673,408 bytes free
Post-Run: 254,106,394,624 bytes free
.
- - End Of File - - AB76986A8C07E232C85F59946DCF5BA6

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 AM

Posted 29 April 2011 - 06:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Shekky

Shekky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 01 May 2011 - 12:09 AM

Hi there. :-)
Thanks for helping me out.
The only thing I have done is reinstall my virus software so that I can use the internet again without getting anything new. I have not been notified of anything new on the machine, but if needed, let me know if I need to do something to get you an updated log or anything.

(I also uninstalled Google chrome, but have not reinstalled. I am only using Firefox right now, which has not been changed since before the combofix log was generated.)

I forgot to mention in the original post that when AVG 1st notified me of the virus, it had said it was svchost.exe giving me problems.

Thanks again.

Edited by Shekky, 01 May 2011 - 12:13 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 AM

Posted 01 May 2011 - 04:04 PM

I don't think there's much to be done here. Combofix has removed the TDL4 rootkit which was causing the redirections. Usually, there isn't much left after that but we can do a quick clean up check. First, the obligatory warning about Combofix...

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Now please run an online scan with ESET

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#5 Shekky

Shekky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 01 May 2011 - 06:23 PM

Should I uninstall my current antivirus so they won't be competing or interfering with each other?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 AM

Posted 01 May 2011 - 06:34 PM

You can disable the antivirus if you don't want to uninstall it.
Posted Image
m0le is a proud member of UNITE

#7 Shekky

Shekky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 02 May 2011 - 08:59 PM

I don't have time to try it all until Wed or Thurs because I assume I should block out at least 2 hours to do anything computer related especially if it requires a scan. Will you still check up on me even though it might be a couple days before I post something??

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 AM

Posted 03 May 2011 - 02:17 PM

I will be tracking this topic as long as it is open :)
Posted Image
m0le is a proud member of UNITE

#9 Shekky

Shekky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 May 2011 - 01:12 AM

Computers make me feel dumb sometimes. I tried to run the scan & it won't let me. It's saying: Cannot get updates. Is proxy configured?

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 AM

Posted 08 May 2011 - 03:58 AM

In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".

In Firefox you find the Proxy server settings this like this. In Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.
Posted Image
m0le is a proud member of UNITE

#11 Shekky

Shekky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 May 2011 - 07:41 AM

Hi again.
Finally...
Text file is attached. I saw the Uniblue Registry booster listed on there over & over again. Did that program put stuff onto my computer that it wasn't supposed to? If so that'd be really bad since it was supposed to take bad stuff off.

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 AM

Posted 08 May 2011 - 08:14 AM

No it didn't add anything else but Registry Boosters, cleaners, etc are not recommended (see below) and some security programs remove them

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.The log does show that the machine is looking pretty good. Any problems remaining?
Posted Image
m0le is a proud member of UNITE

#13 Shekky

Shekky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 May 2011 - 09:18 AM

Thanks for the info :-)
The computer guy who recommended your site was the one who ran the registry booster program. I will uninstall it so I don't accidentally do anything. He couldn't get the information he wanted anyway without buying the full version.

Is the ESATscan safe to use & run without supervision from someone who can look & actually understand what it means?? Or did you just need it for the log it created?

Same goes for things like AVG & Titanium anti-virus. The scans run & create a list of stuff that is recommended for removal. Are there any precautions that I should take so it's not removing the wrong things?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 AM

Posted 08 May 2011 - 09:23 AM

Is the ESATscan safe to use & run without supervision from someone who can look & actually understand what it means?? Or did you just need it for the log it created?


Yes, just for the log. It does an automatic removal and is safe to use yourself.

Same goes for things like AVG & Titanium anti-virus. The scans run & create a list of stuff that is recommended for removal. Are there any precautions that I should take so it's not removing the wrong things?

If it recommends removal then you should agree. There are instances of false positives where legitimate files are deleted but this tends to happen only with third party programs which can always be reinstalled. Proper companies such as AVG make sure that the system files are recognised and not accidentally removed.

So, how's the machine running now?
Posted Image
m0le is a proud member of UNITE

#15 Shekky

Shekky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 09 May 2011 - 09:49 PM

Hi,
I think things are ok. Except I still can't get Titanium running the way it was when I first installed it. I can't get it to open the screen that lets me select running a scan. I'll double click to get it to start. the logo pops up on my screen as if it's starting up, but then there is no sign of it actually running. I don't see it under the task manager either unless it's under some letter that I can't decipher. I didn't want to uninstall/reinstall it yet again until after I got the ok from you. But, I think I'm going to give it another try & if I still can't get the thing to work maybe I'll dump it all together & go back to AVG Free.
Other than that I have to turn stuff back on. As in, I turned off a lot of the start up processes & have left them off. I also haven't done a huge amount of web surfing. Really kinda just doing minimal stuff since it all happened.

Haven't really put the machine through the wringer. Over all from what I can tell things seem ok. I occasionally have odd ball moments where it seems like something is processing on my computer, but I don't have anything going. It makes me wonder what's loading. It's probably some advertisement or something that I'm not paying attention to.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users