Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop files erased, redirect problem, Windows XP Recovery virus, IEXPLORE.EXE running


  • This topic is locked This topic is locked
19 replies to this topic

#1 everyone82

everyone82

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 03 June 2011 - 02:26 AM

I had originally posted earlier at the link below, but was told to re-post after running a few programs here. I have attached all the necessary files. Thank you for checking out my post. Hopefully someone can help.


http://www.bleepingcomputer.com/forums/topic400565.html/page__pid__2274634#entry2274634

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Run by Scott at 1:48:31 on 2011-06-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.166 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uInternet Settings,ProxyOverride = <local>
BHO: {0bdbc759-af8b-4546-b89b-12a3217f632b} - c:\windows\system32\avifil3232.dll
BHO: {78c6c846-d216-49f7-987a-50752aec6b56} - c:\windows\system32\avifil3232.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MKctc] c:\windows\msmgm.exe
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [Cgili] rundll32.exe "c:\windows\ictsvdr.dll",Startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CCleaner.exe] c:\documents and settings\scott\application data\izyngqybvxdqnvjiiksfha\izyngqybvxdqnvjiiksfha\0.0.0.0\CCleaner.exe
mRun: [Omiwesavade] rundll32.exe "c:\windows\anapaqek.dll",Startup
mRun: [MKctc] c:\windows\msmgm.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [MKctc] c:\windows\msmgm.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{75BC238C-4555-4239-A6B4-1427FCF7E697} : DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: Antiwpa - antiwpa.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\scott\application data\mozilla\firefox\profiles\dptmheg7.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\scott\application data\mozilla\firefox\profiles\dptmheg7.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
S0 dklcb;dklcb;c:\windows\system32\drivers\gvgxkm.sys --> c:\windows\system32\drivers\gvgxkm.sys [?]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\localservice\local settings\application data\tsc.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-05-30 09:38:46 0 ---ha-w- c:\documents and settings\scott\drokavngvi.tmp
2011-05-30 03:09:24 776704 ----a-w- c:\windows\system32\shimeng32.exe
2011-05-30 03:09:20 776704 ----a-w- c:\windows\system32\licwmi32.exe
2011-05-30 03:09:20 776704 ----a-w- c:\windows\system32\dbghelp32.exe
2011-05-30 03:09:18 365568 ----a-w- c:\windows\system32\avifil3232.dll
2011-05-29 12:43:26 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-29 12:43:26 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-22 06:20:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-14 03:02:51 -------- d-----w- c:\documents and settings\scott\application data\IzYngQyBVxDQNvJiiKSfHa
2011-05-14 03:02:45 446464 ----a-w- c:\documents and settings\scott\application data\datacorecr.exe
2011-05-10 21:33:08 -------- d-----w- c:\documents and settings\scott\local settings\application data\MPlayer
.
==================== Find3M ====================
.
2011-05-03 05:48:39 0 ----a-w- c:\windows\Jrocaripecilu.bin
2011-03-23 06:56:51 135168 --sha-r- c:\windows\system32\replace8.dll
2011-03-23 06:56:51 135168 --sha-r- c:\windows\system32\dmdskresx.dll
.
============= FINISH: 1:49:54.87 ===============

Attached Files


Edited by Noviciate, 03 June 2011 - 02:45 PM.
Added DDS log from attachment.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:27 PM

Posted 03 June 2011 - 02:56 PM

Good evening. :)

Download MGADiag from here and save it to your Desktop.
  • Double click it to run it.
  • Click Continue.
  • Once the scan has completed, click Copy - this will transfer the results to your clipboard.
  • Paste them into your next reply.

So long, and thanks for all the fish.

 

 


#3 everyone82

everyone82
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 03 June 2011 - 09:08 PM

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-C6388-DTB2R-FFPRM
Windows Product Key Hash: Bl2MWfx+QKppWAUWgjggWiT7ZgQ=
Windows Product ID: 76487-024-5236883-22901
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 5.1.2600.2.00010100.3.0.xpn
ID: {3ED2A1F9-76A7-4E09-A383-BFA54213ECB9}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Word 2002 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_70AFE6BE-656-80070057_E2AD56EA-815-80070057

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3ED2A1F9-76A7-4E09-A383-BFA54213ECB9}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.xpn</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-FFPRM</PKey><PID>76487-024-5236883-22901</PID><PIDType>5</PIDType><SID>S-1-5-21-2052111302-616249376-1644491937</SID><SYSTEM><Manufacturer>Dell Computer Corporation </Manufacturer><Model>DIM4500 </Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>A03</Version><SMBIOSVersion major="2" minor="3"/><Date>20020718000000.000000+000</Date></BIOS><HWID>50213FE701842052</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{911B0409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Word 2002</Name><Ver>10</Ver><Val>BCC859CED868F72</Val><Hash>vzb9+FRBCROeRqSOJtHN6iieaXI=</Hash><Pid>54189-OEM-1691873-67545</Pid><PidType>4</PidType></Product></Products><Applications><App Id="1B" Version="10" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1E840:Dell Inc|145BB:Dell Inc|19CD0:GENUINE C&C INC|145BB:Microsoft Corporation
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

#4 everyone82

everyone82
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 03 June 2011 - 09:11 PM

not sure what that is for, but if it's to find out about my version of windows xp, it was borrowed from a friend. Dell would not send me a new one after I had the computer for 8 years and had to reformat my hard drive. So had to get a copy. Went to reinstall with dell windows xp disk and no longer had the serial numbers.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:27 AM

Posted 05 June 2011 - 02:43 PM

Hello everyone82,
Unfortunately you have a nasty rootkit on your computer. Please read the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 everyone82

everyone82
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 06 June 2011 - 10:42 AM

My combofix log...

Attached Files



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:27 AM

Posted 06 June 2011 - 11:15 AM

Hi again, still quite some malware to clean up here.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
RenV::
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\PC Tools Security\pctsGui .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\windows\system32\rundll32 .exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Omiwesavade"=-
"MKctc"=-
"Plug Manager"=-
"Input Manager"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MKctc"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cgili]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmaIXnd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmaIXneP]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmaIXnf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmaIXngP]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmaIXnie]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmaIXnth]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lgxuivco]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKayc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKbta]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKbtala/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKbtc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKctc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKeg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKfpe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKfsc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKWPqe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omiwesavade]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uPc+MV0NrcaGuo]

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 everyone82

everyone82
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 06 June 2011 - 07:49 PM

Hope I did this right. When I dragged the notepad file onto it it updated again, then ran.

Attached Files

  • Attached File  log.txt   13.56KB   5 downloads


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:27 AM

Posted 07 June 2011 - 05:57 AM

Hi, how are things running at this point?

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\documents and settings\Scott\Application Data\IzYngQyBVxDQNvJiiKSfHa

Driver::
dklcb

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 everyone82

everyone82
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 07 June 2011 - 07:24 PM

new post. thanks again.

Attached Files



#11 everyone82

everyone82
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 08 June 2011 - 01:01 AM

Before last combofix move , hings were running much faster. I did however recently get a random google re-direct issue, and things slowed down a bit. Not sure if something popped back up.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:27 AM

Posted 08 June 2011 - 04:36 AM

Hi again, glad to hear that things have improved. :)

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 26 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-6u26-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


Please launch Malwarebytes Antimalware, update it and run a full scan. Post me the resulting log.


Finally, I really recommend you to consider purchasing a legal copy of Windows, or, if that is no option for financial reasons, to consider switching to a free OS like Ubuntu
Not only is it illegal to use Windows this way, but it also keeps you wide open for infections as Windows update will not adequately protect you. If you have any questions regarding this, please let me know.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 everyone82

everyone82
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 12 June 2011 - 01:03 AM

Sorry for the delay. I was away from my computer for a couple days. Here is the Malwarebytes log.

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:27 AM

Posted 12 June 2011 - 03:29 AM

Please make sure you have removed all infections detected by MBAM. Lets also run a last scan for leftovers.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 everyone82

everyone82
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 12 June 2011 - 11:22 PM

Before I hit finish, I didn't click on delete quarantined files. Should I have? Anyway, here is the log.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users