Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Recovery Virus, Redirects, Script Errors


  • This topic is locked This topic is locked
18 replies to this topic

#1 cmackey

cmackey

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 19 April 2011 - 03:55 PM

Yesterday, while searching the internet, my screen flashed & a "Windows Recovery" error popped up. I knew better than to click on it, but it was already showing up in my tray as well. It began hiding my files, etc. I did a system restore, which brought everything back...sorta. The following problems still exist:

1. Many of my files are grayed out, even though I can still click & open them
2. I keep getting Internet Explorer script errors (even while IE isn't open/running) many involving medio.com
3. While trying to search the internet I keep getting redirected
4. My internet settings/preferences hae all been changed and/or deleted.

My laptop is a Dell Latitude running Windows XP. I currently have Avast & Spybot running.

Thank you for any help you can provide!!

Edited by cmackey, 19 April 2011 - 04:56 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 AM

Posted 19 April 2011 - 10:07 PM

Hello and welcome. Please follow our Removal Guide here Remove Windows Recovery .
After reading how the malware is misleading you ...
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 cmackey

cmackey
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2011 - 08:18 AM

Thank you for helping me!!

After running each of the suggested programs here's the current status of the situation:

1. Files are now visible
2. I am still getting script errors
3. Still getting redirectd while attempting to surf in IE
4. Internet settings/preferences are again visible

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6406

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/20/2011 7:34:07 AM
mbam-log-2011-04-20 (07-34-07).txt

Scan type: Full scan (C:\|)
Objects scanned: 333358
Time elapsed: 56 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\admin\local settings\Temp\0.756190985319412.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

#4 cmackey

cmackey
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2011 - 11:39 AM

If it's any help at all, I ran a processes list from Spybot:



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-04-18 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi
2011-03-22 Includes\AdwareC.sbi
2010-08-13 Includes\Cookies.sbi
2010-12-14 Includes\Dialer.sbi
2011-03-08 Includes\DialerC.sbi
2011-02-24 Includes\HeavyDuty.sbi
2011-03-29 Includes\Hijackers.sbi
2011-03-29 Includes\HijackersC.sbi
2010-09-15 Includes\iPhone.sbi
2010-12-14 Includes\Keyloggers.sbi
2011-03-08 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2011-04-05 Includes\Malware.sbi
2011-04-12 Includes\MalwareC.sbi
2011-02-24 Includes\PUPS.sbi
2011-03-15 Includes\PUPSC.sbi
2010-01-25 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2011-03-08 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2011-02-24 Includes\Spyware.sbi
2011-03-15 Includes\SpywareC.sbi
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi
2011-04-12 Includes\TrojansC-02.sbi
2011-04-11 Includes\TrojansC-03.sbi
2011-03-08 Includes\TrojansC-04.sbi
2011-04-11 Includes\TrojansC-05.sbi
2011-03-08 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

PID: 0 ( 0) [System]
PID: 476 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 940 ( 476) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 964 ( 476) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 1008 ( 964) C:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 1020 ( 964) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1184 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1288 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1340 (1008) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1460 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1528 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1684 (1008) C:\WINDOWS\System32\WLTRYSVC.EXE
size: 18944
MD5: 8E12ADCD26A2AC8006E52B74463E9DD1
PID: 1696 (1684) C:\WINDOWS\System32\bcmwltry.exe
size: 1200128
MD5: 3118A7345A5C28E8D5C6BE7A90AEA0A6
PID: 1744 (1008) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
size: 42184
MD5: 20757C632ACA98B73FB022C5B87F3753
PID: 300 (1008) C:\WINDOWS\system32\spoolsv.exe
size: 58880
MD5: 60784F891563FB1B767F70117FC2428F
PID: 348 (1008) C:\WINDOWS\System32\SCardSvr.exe
size: 95744
MD5: 86D007E7A654B9A71D1D7D856B104353
PID: 616 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 672 (1008) C:\Program Files\Java\jre6\bin\jqs.exe
size: 153376
MD5: 1834C96FB1F9280BCF6DDFA6DE8338BF
PID: 704 (1008) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
size: 154136
MD5: 0DDFDCAA92C7F553328DB06BA599BEA9
PID: 724 (1008) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
size: 322120
MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 812 (1008) C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
size: 475136
MD5: C82DCFCC00C10B91346ABB953FF79EE8
PID: 868 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 888 (1008) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: AB0A7CA90D9E3D6A193905DC1715DED0
PID: 1408 (1008) C:\WINDOWS\system32\SearchIndexer.exe
size: 439808
MD5: 7778BDFA3F6F6FBA0E75B9594098F737
PID: 2208 (1008) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 2240 (1184) C:\WINDOWS\system32\wbem\wmiprvse.exe
size: 227840
MD5: 798A9E6828997EEF4517ADA8A2259831
PID: 3688 (1340) C:\WINDOWS\system32\wuauclt.exe
size: 53472
MD5: 62BB79160F86CD962F312C68C6239BFD
PID: 4000 (3336) C:\Program Files\Apoint\Apoint.exe
size: 176128
MD5: BDF765B33972A95AE8B5C5262D5E1325
PID: 492 (3336) C:\WINDOWS\system32\hkcmd.exe
size: 77824
MD5: 6C47474924ECD9B6F849D3B533CA3FFF
PID: 516 (3336) C:\WINDOWS\system32\igfxpers.exe
size: 118784
MD5: F6BB88A352BB58EA7D51EE2606F9414C
PID: 572 (3336) C:\Program Files\Dell\QuickSet\quickset.exe
size: 1228800
MD5: 6B40E4DEA551DFB2E9A093D41477A623
PID: 756 (3336) C:\WINDOWS\system32\WLTRAY.exe
size: 1347584
MD5: 234C29A211817B5C69C2E4C4C4F71750
PID: 1324 (3336) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
size: 932288
MD5: BAD6BEA0DE1F69C82BDB74378CE0C20A
PID: 1088 (3336) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
size: 640376
MD5: A1ED44DABCD252B95CD09487B65F734C
PID: 2312 (4000) C:\Program Files\Apoint\HidFind.exe
size: 45056
MD5: DFCB0A7BCBC97922F2EE24FE11318C6C
PID: 2300 (3336) C:\Program Files\Common Files\Java\Java Update\jusched.exe
size: 248040
MD5: 52DB6CDAC5BC7A1FC884E97C41C91213
PID: 2380 (3336) C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
size: 2793304
MD5: 2589FFE360BED8F824CBC6171CB5B874
PID: 2528 ( 484) C:\Program Files\Apoint\Apntex.exe
size: 45056
MD5: 4C737FE32049AF0547827C3EB49AC3C0
PID: 2556 (3336) C:\Program Files\AVAST Software\Avast\avastUI.exe
size: 3460784
MD5: C8EEF1197422A9165363C3A6B41F94EB
PID: 2880 (3336) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 3140 (3336) C:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2
PID: 3212 (3336) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
PID: 1264 (3336) C:\Program Files\Windows Desktop Search\WindowsSearch.exe
size: 123904
MD5: B5C9F63C01FCFEC3F64EC6A0940A1825
PID: 3992 (1184) C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
size: 560472
MD5: 98D472ECFBC0E8ED25A0483E765F42B6
PID: 2608 (2300) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
size: 490728
MD5: D4DDB8CF58103E8CE8E99101C467C979
PID: 808 ( 964) C:\WINDOWS\explorer.exe
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 3932 ( 808) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 AM

Posted 20 April 2011 - 11:57 AM

Hello, We need to disable Spybot S&D's "TeaTimer" if running.
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Mode > Advanced Mode.
    Posted Image
  • You may be presented with a warning dialog. If so, click Yes
  • Click on Tools and then Resident
    Posted Image
  • Uncheck this checkbox: "Resident TeaTimer {protection of over-all system settings) active"
  • Close/Exit Spybot Search and Destroy



Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 cmackey

cmackey
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2011 - 12:58 PM

I turned off TeaTimer, as you requested.

I was able to download TDSSKiller.exe, but it would not run.

I renamed it abc123.com, per your suggestion, it still will not run.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 AM

Posted 20 April 2011 - 03:10 PM

Sorry I am in and out today.
TDSSKiller from Command Prompt

Use the following command to scan the PC with a detailed log written into the file report.txt (created in the TDSSKiller.exe utility folder):
Open Command Prompt in XP = click Start >> Run,type cmd
copy and paste this at the flashing cursor and hit Enter

TDSSKiller.exe -l report.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 cmackey

cmackey
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 20 April 2011 - 04:38 PM

No problem. I am just very grateful for your help!!

Using the command prompt didnn't work either. Here's what I got:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\admin>TDSSKiller.exe -l report.txt
'TDSSKiller.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\admin>

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 AM

Posted 20 April 2011 - 08:08 PM

Those are all Spybot files above,just so you know.
Try turning spybot off and do the first TDSS instruction.

If it runs post the log. Either way
Let's run an online scan.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 cmackey

cmackey
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 21 April 2011 - 07:01 AM

Somehow, the entire process started over, exactly as it did before, with the Windows Recovery Virus. So, I ran iExplore.exe & Malwarebytes again. Attempted the tdsskiller.exe, which still doesn't run, then ran the ESET online scan. Here are the logs from all three:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/20/2011 at 21:41:03.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\All Users\Application Data\UEBeSifOsb.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\taskmgr.exe


Rkill completed on 04/20/2011 at 21:41:13.

_______________________________________________

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6406

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/20/2011 10:33:40 PM
mbam-log-2011-04-20 (22-33-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 317863
Time elapsed: 51 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
______________________________________________

C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\7VIQFBD9\chikde_com[1].htm HTML/Iframe.B.Gen virus

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 AM

Posted 21 April 2011 - 06:13 PM

Hello, HTML/Iframe.B.Gen is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software. So you just may have gone to an infected web page.

Lets do a safe mode scan.
Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 cmackey

cmackey
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 22 April 2011 - 09:34 AM

I ran ATF Cleaner and then SUPERAntiSpyware, per your instructions.

1. The script errors are still popping up if my wireless internet is enabled, but stop if I disable the connection.

2. Also, my internet searches are still being redirected:
-If I click on a specific link, it goes where it should.
-If I click on a link in my favorites, it goes where it should.
-However, if I click on a link from a search engine, such as google or yahoo, it is redirected.

Right now, this is the only thing I am noticing since running the ATF Cleaner and then SUPERAntiSpyware. Here is the SUPERAntiSpyware log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/21/2011 at 10:31 PM

Application Version : 4.51.1000

Core Rules Database Version : 6890
Trace Rules Database Version: 4702

Scan type : Complete Scan
Total Scan Time : 03:26:29

Memory items scanned : 243
Memory threats detected : 0
Registry items scanned : 6758
Registry threats detected : 1
File items scanned : 124139
File threats detected : 41

Trojan.Agent/Gen-FakeAntiSpy
[UEBeSifOsb] C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\UEBESIFOSB.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\UEBESIFOSB.EXE

Adware.Tracking Cookie
a.ads2.msads.net [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
ads2.msads.net [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
b.ads2.msads.net [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
cdn.insights.gravity.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
cdn4.specificclick.net [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
content.oddcast.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
convoad.technoratimedia.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
core.insightexpressai.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
dlr1.wdpromedia.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
ia.media-imdb.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
img-cdn.mediaplex.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
media.kcrg.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
media.kohls.com.edgesuite.net [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
media.kvue.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
media.mtvnservices.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
media.nbcdfw.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
media.scanscout.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
media.wfaa.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
media1.break.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
msnbcmedia.msn.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
multimedia.msn.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
player.imediasee.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
richmedia247.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
s0.2mdn.net [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
secure-us.imrworldwide.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
serving-sys.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
spe.atdmt.com [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
udn.specificclick.net [ C:\Documents and Settings\admin\Application Data\Macromedia\Flash Player\#SharedObjects\EELLFX3E ]
media.mtvnservices.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\TBSDV4KK ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\TBSDV4KK ]
a.ads2.msads.net [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]
ads2.msads.net [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]
b.ads2.msads.net [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]
cdn4.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]
ictv-ic-ec.indieclicktv.com [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]
media.mtvnservices.com [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]
media.scanscout.com [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]
msnbcmedia.msn.com [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]
udn.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\NLG24C8C ]

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 AM

Posted 22 April 2011 - 07:22 PM

Do you have an Antivirus running? try to disable it. DEFOGGER
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Try TDSS again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 cmackey

cmackey
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 22 April 2011 - 10:13 PM

I disabled Avast & Spybot. Also made sure TeaTimer was not running.

I ran DeFogger - I got the "Finished" message, but it did not ask me to reboot.

TDSS still will not run.

Here is the DeFogger Log:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:58 on 22/04/2011 (admin)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 AM

Posted 23 April 2011 - 09:33 AM

we may have to move you as I suspect a problem rootkit.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users