Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect for sure.


  • This topic is locked This topic is locked
14 replies to this topic

#1 thewhiteowl

thewhiteowl

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 17 June 2011 - 01:40 PM

Hello all, First I would like to thank in advance all of you who generously give your time to help. It is so necessary and so appreciated.

I'm not very PC savvy and I don't use this PC for very much, it's quite the dinosaur but I like it and want to save it from the landfill. I'm getting redirected from Google to 66tv or Yellowpages. A friend tried to help me and we have done a system restore to no avail. I'm not sure if there is anything else wrong with it. I've done the prep work requested except for Gmer as I have no idea what -bit this is and no idea how to find out but am willing if directed to do so. here are the dds logs.

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by laura 2 at 11:14:06 on 2011-06-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.768.509 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {21608B66-026F-4DCB-9244-0DACA328DCED} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: GamesBarBHO Class: {cb0d163c-e9f4-4236-9496-0597e24b23a5} - c:\program files\gamesbar\2.0.1.82\oberontb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: GamesBar: {6f282b65-56bf-4bd1-a8b2-a4449a05863d} - c:\program files\gamesbar\2.0.1.82\oberontb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - c:\program files\gamesbar\2.0.1.82\oberontb.dll
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{86A55E38-FB46-450B-8795-298DFFAF4CD1} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
AppInit_DLLs: NVDESK32.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\laura 2\application data\mozilla\firefox\profiles\gvxvvf7t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-4 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-15 366640]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S4 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
.
=============== Created Last 30 ================
.
2011-06-16 22:05:48 -------- d-----w- c:\documents and settings\laura 2\application data\Oberon Media
2011-06-15 23:36:00 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-15 23:36:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-15 23:34:43 -------- d-----w- c:\documents and settings\laura 2\local settings\application data\Sunbelt Software
2011-06-15 23:33:02 -------- d-----w- c:\program files\softendo.com
2011-06-15 23:30:43 -------- d-----w- c:\documents and settings\laura 2\application data\AVG10
2011-06-15 23:29:35 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-06-15 23:27:44 -------- d-----w- c:\program files\Oberon Media
2011-06-15 23:27:42 -------- d-----w- c:\program files\GamesBar
2011-06-15 23:27:41 -------- d-----w- c:\program files\common files\Oberon Media
2011-06-15 23:24:15 -------- d-----w- C:\Media
2011-06-15 22:10:45 -------- d-----w- c:\documents and settings\laura 2\local settings\application data\Adobe
2011-06-15 22:10:07 -------- d-----w- c:\documents and settings\laura 2\application data\Malwarebytes
2011-06-15 22:09:34 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-15 22:09:32 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-15 22:09:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-15 20:49:31 388096 ----a-r- c:\documents and settings\laura 2\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-15 20:49:28 -------- d-----w- c:\program files\Trend Micro
2011-06-15 20:43:09 0 ---ha-w- C:\aaw7boot.cmd
2011-06-15 19:44:20 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-15 17:58:20 -------- d-----w- c:\program files\Lavasoft
2011-06-15 17:13:07 -------- d-----w- c:\documents and settings\laura 2\application data\GlarySoft
2011-06-15 17:11:40 -------- d-----w- c:\program files\Glarysoft
2011-06-15 08:56:01 -------- d-----w- c:\program files\beavis
2011-06-15 08:53:12 -------- d-----w- c:\program files\PopCap Games
2011-06-15 08:51:35 -------- d-----w- c:\program files\GameHouse
2011-06-15 07:35:17 -------- d-----w- c:\documents and settings\laura 2\local settings\application data\Mozilla
2011-06-15 06:37:54 -------- d-sh--w- c:\documents and settings\laura 2\PrivacIE
2011-06-15 06:37:27 -------- d-sh--w- c:\documents and settings\laura 2\IETldCache
2011-06-15 06:37:21 -------- d-----w- c:\documents and settings\laura 2\local settings\application data\Microsoft
2011-06-15 04:09:49 -------- d-sh--w- C:\found.000
2011-06-15 02:56:39 -------- d-----w- C:\winxp
2011-06-15 01:29:56 -------- d--h--w- C:\$AVG
2011-06-15 00:42:51 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-15 00:35:37 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-15 00:35:37 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-06-15 00:34:31 -------- d-----w- c:\program files\AVG
2011-06-15 00:29:22 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-07 19:10:46 -------- d-----w- c:\documents and settings\all users\application data\Friends Games
2011-06-07 19:05:41 -------- d-----w- c:\program files\MSN Games
2011-06-07 19:05:41 -------- d-----w- c:\documents and settings\all users\application data\Oberon Media
2011-06-07 19:04:23 -------- d-----w- c:\documents and settings\all users\application data\GamesBar
2011-06-06 19:55:30 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-06-06 19:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-06-04 00:02:42 77824 ----a-w- c:\windows\system32\xvid.ax
2011-06-04 00:02:42 -------- d-----w- c:\program files\Xvid
2011-06-04 00:01:55 -------- d-----w- c:\program files\XP Codec Pack
2011-06-03 15:12:03 32768 ----a-w- c:\windows\system\ahqman.dll
2011-06-03 15:11:42 32768 ----a-w- c:\windows\system32\ahqman.dll
2011-06-03 15:09:56 90112 ----a-w- c:\windows\Updreg.exe
2011-06-03 15:07:58 84992 ----a-w- c:\windows\system32\sfcvrt32.dll
2011-06-03 15:07:58 149504 ----a-w- c:\windows\system32\mfcans32.dll
2011-06-03 15:07:58 108032 ----a-w- c:\windows\system32\mfcuia32.dll
2011-06-03 15:07:57 82432 ----a-w- c:\windows\system32\ctwflt32.dll
2011-06-03 15:07:57 53552 ----a-w- c:\windows\ctccw.dll
2011-06-03 15:07:57 34816 ----a-w- c:\windows\CTRes32.dll
2011-06-03 15:07:57 26768 ----a-w- c:\windows\system32\ctl3d.dll
2011-06-03 15:07:57 24976 ----a-w- c:\windows\ctres.dll
2011-06-03 15:06:30 3584 ----a-w- c:\windows\system32\Ahqcpres.dll
2011-06-03 15:06:30 18432 ----a-w- c:\windows\system32\Audiohq.cpl
2011-06-03 15:06:05 55808 ----a-w- c:\windows\system32\CtMp3.Crl
2011-06-03 15:06:04 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2011-06-03 15:06:04 25088 ----a-w- c:\windows\system32\CTSVCCTL.EXE
2011-06-03 14:34:16 221184 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll
2011-06-03 14:34:15 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-06-03 14:34:15 221184 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-06-03 14:34:14 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-06-03 14:34:09 602244 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2011-06-03 14:26:11 -------- d-----w- C:\compaq
2011-06-03 00:23:59 61440 ----a-w- c:\windows\system32\SanCpl.cpl
2011-06-03 00:23:58 -------- d-----w- c:\program files\SiSoftware
2011-06-03 00:23:37 306688 ----a-w- c:\windows\IsUninst.exe
2011-06-02 23:42:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 23:39:08 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2011-05-25 09:00:36 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-04-15 04:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-05 07:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
.
============= FINISH: 11:15:05.98 ===============

I attached the attach file. I know your time is valuable and I appreciate any help. In the spirit that there is no such thing here as too much info, My friend has installed Malwarebytes, we ran it and it showed no problems. Also tried Hijackthis, but have no idea what to remove or fix so we didn't.
Thanks so much, Laura

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 17 June 2011 - 11:45 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 thewhiteowl

thewhiteowl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 18 June 2011 - 06:01 AM

Thanks so much for responding. I ran Gmer and am pasting results.

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-17 16:25:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_98196H8 rev.ZAH814Y0
Running: gmer.exe; Driver: C:\DOCUME~1\LAURA2~1\LOCALS~1\Temp\ugwiapod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF759D87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF759DBFE]

---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys F7578BD0 4 Bytes [36, 9A, 4D, 80]
INITc VolSnap.sys F7578BF8 4 Bytes [94, 87, 4E, 80] {XCHG ESP, EAX; XCHG [ESI-0x80], ECX}
INITc VolSnap.sys F7578C20 4 Bytes [A0, C1, 4D, 80]
INITc VolSnap.sys F7578C48 4 Bytes [B0, C8, 4D, 80]
INITc VolSnap.sys F7578C70 4 Bytes [09, BF, 4D, 80]
INITc ...
? C:\DOCUME~1\LAURA2~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[784] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[784] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0075000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[784] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0072000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[784] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0071000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[784] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0073000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[784] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0074000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B26A90
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B26C90
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00B4000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0057000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0056000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0058000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0059000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2044] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0055000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B26A90
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3880] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B26C90

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 82EF8E7A
Thread System [4:128] 82EFB008

---- EOF - GMER 1.0.15 ----
I hope I did it correctly. the last time I checked to see if it was still redirecting the PC shut itself off but it was pretty warm here. I cleaned the hard drive by following the instructions and have been doing a lot of reading here but I haven't done anything else.
thanks again, Laura

#4 thewhiteowl

thewhiteowl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 18 June 2011 - 07:47 AM

Sorry to re-post I don't mean to bump this but I had this appear on my desktop and I'm afraid to do anything with it.

zlynubhlzt.tmp.

No idea where it came from or what it is. I certainly won't open it or do anything till you give me the Okay.

Thanks Laura

Edited by thewhiteowl, 18 June 2011 - 01:06 PM.


#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 18 June 2011 - 07:21 PM

Laura:

Please do this next:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Add/Remove Programs or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.
  • Double click to run AppRemover
  • Follow the prompts to remove AVG
  • Reboot
Once you've removed AVG with this tool please continue with these instructions
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Edited by RPMcMurphy, 18 June 2011 - 07:23 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 thewhiteowl

thewhiteowl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 18 June 2011 - 11:20 PM

RPMcMurphy, I ran it here is the log.

ComboFix 11-06-17.04 - laura 2 06/18/2011 20:52:47.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.768.502 [GMT -7:00]
Running from: c:\documents and settings\laura 2\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\laura 2\0.08972170979007654.exe
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{87682015-93ef-4e6a-b7b6-27738e771b7f}
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{87682015-93ef-4e6a-b7b6-27738e771b7f}\chrome.manifest
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{87682015-93ef-4e6a-b7b6-27738e771b7f}\chrome\xulcache.jar
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{87682015-93ef-4e6a-b7b6-27738e771b7f}\defaults\preferences\xulcache.js
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{87682015-93ef-4e6a-b7b6-27738e771b7f}\install.rdf
c:\documents and settings\LocalService\Application Data\02000000d08972cd1270C.manifest
c:\documents and settings\LocalService\Application Data\02000000d08972cd1270O.manifest
c:\documents and settings\LocalService\Application Data\02000000d08972cd1270P.manifest
c:\documents and settings\LocalService\Application Data\02000000d08972cd1270S.manifest
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-05-19 to 2011-06-19 )))))))))))))))))))))))))))))))
.
.
2011-06-18 05:23 . 2011-06-18 05:23 764416 ----a-w- c:\windows\system32\shell32.exe
2011-06-18 05:23 . 2011-06-18 05:23 169472 ----a-w- c:\windows\system32\msxml3r32.dll
2011-06-18 05:23 . 2011-06-18 05:23 764416 ----a-w- c:\windows\system32\catsrv32.exe
2011-06-18 05:23 . 2011-06-18 05:23 349696 ----a-w- c:\windows\system32\audiosrv32.dll
2011-06-15 23:36 . 2011-06-15 23:36 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-15 23:33 . 2011-06-15 23:34 -------- d-----w- c:\program files\softendo.com
2011-06-15 23:29 . 2011-06-15 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-06-15 23:27 . 2011-06-16 22:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-06-15 23:27 . 2011-06-15 23:27 -------- d-----w- c:\program files\Oberon Media
2011-06-15 23:27 . 2011-06-15 23:27 -------- d-----w- c:\program files\GamesBar
2011-06-15 23:27 . 2011-06-15 23:27 -------- d-----w- c:\program files\Common Files\Oberon Media
2011-06-15 23:24 . 2011-06-15 23:24 -------- d-----w- C:\Media
2011-06-15 23:23 . 2011-06-15 23:23 -------- d-----w- c:\program files\Common Files\InstallShield
2011-06-15 22:32 . 2011-06-15 23:33 -------- d-----w- c:\documents and settings\Laura Linvingston
2011-06-15 22:13 . 2011-06-15 22:28 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-15 22:10 . 2011-06-15 22:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-06-15 22:09 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-15 22:09 . 2011-06-15 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-15 22:09 . 2011-06-15 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-15 20:49 . 2011-06-15 20:49 -------- d-----w- c:\program files\Trend Micro
2011-06-15 20:43 . 2011-06-15 20:43 0 ---ha-w- C:\aaw7boot.cmd
2011-06-15 19:44 . 2011-06-15 18:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-15 17:58 . 2011-06-15 23:34 -------- d-----w- c:\program files\Lavasoft
2011-06-15 17:11 . 2011-06-15 17:11 -------- d-----w- c:\program files\Glarysoft
2011-06-15 08:56 . 2011-06-15 08:56 -------- d-----w- c:\program files\beavis
2011-06-15 08:53 . 2011-06-15 08:53 -------- d-----w- c:\program files\PopCap Games
2011-06-15 08:51 . 2011-06-15 08:51 -------- d-----w- c:\program files\GameHouse
2011-06-15 06:37 . 2011-06-19 03:58 -------- d-----w- c:\documents and settings\laura 2
2011-06-15 04:09 . 2011-06-15 04:09 -------- d-----w- C:\found.000
2011-06-15 02:56 . 2011-06-15 22:52 -------- d-----w- C:\winxp
2011-06-15 01:29 . 2011-06-15 01:29 -------- d-----w- C:\$AVG
2011-06-15 00:42 . 2011-06-15 00:42 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-15 00:35 . 2011-06-19 03:35 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-14 23:11 . 2011-06-15 23:36 -------- d-----w- c:\documents and settings\Administrator
2011-06-07 19:10 . 2011-06-07 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Friends Games
2011-06-07 19:05 . 2011-06-15 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Oberon Media
2011-06-07 19:05 . 2011-06-07 19:05 -------- d-----w- c:\program files\MSN Games
2011-06-07 19:04 . 2011-06-15 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\GamesBar
2011-06-06 19:55 . 2011-06-06 19:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-06 19:55 . 2011-06-06 19:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-06-04 00:02 . 2011-06-15 23:26 -------- d-----w- c:\program files\Xvid
2011-06-04 00:02 . 2009-06-07 23:25 77824 ----a-w- c:\windows\system32\xvid.ax
2011-06-04 00:01 . 2011-06-15 22:39 -------- d-----w- c:\program files\XP Codec Pack
2011-06-03 15:12 . 1999-08-27 08:00 32768 ----a-w- c:\windows\system\ahqman.dll
2011-06-03 15:11 . 1999-08-27 08:00 32768 ----a-w- c:\windows\system32\ahqman.dll
2011-06-03 15:09 . 2000-05-11 08:00 90112 ----a-w- c:\windows\Updreg.exe
2011-06-03 15:07 . 1998-06-05 09:00 84992 ----a-w- c:\windows\system32\sfcvrt32.dll
2011-06-03 15:07 . 1995-01-13 21:10 149504 ----a-w- c:\windows\system32\mfcans32.dll
2011-06-03 15:07 . 1995-01-13 21:10 108032 ----a-w- c:\windows\system32\mfcuia32.dll
2011-06-03 15:07 . 1997-06-02 11:06 34816 ----a-w- c:\windows\CTRes32.dll
2011-06-03 15:07 . 1996-05-23 09:24 24976 ----a-w- c:\windows\ctres.dll
2011-06-03 15:07 . 1995-08-30 09:02 82432 ----a-w- c:\windows\system32\ctwflt32.dll
2011-06-03 15:07 . 1995-07-13 09:01 26768 ----a-w- c:\windows\system32\ctl3d.dll
2011-06-03 15:07 . 1994-12-05 10:11 53552 ----a-w- c:\windows\ctccw.dll
2011-06-03 15:06 . 1998-03-19 08:00 3584 ----a-w- c:\windows\system32\Ahqcpres.dll
2011-06-03 15:06 . 1998-03-19 08:00 18432 ----a-w- c:\windows\system32\Audiohq.cpl
2011-06-03 15:06 . 1999-10-07 09:00 55808 ----a-w- c:\windows\system32\CtMp3.Crl
2011-06-03 15:06 . 1999-12-13 08:01 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2011-06-03 15:06 . 1999-11-18 08:00 25088 ----a-w- c:\windows\system32\CTSVCCTL.EXE
2011-06-03 14:26 . 2011-06-03 15:03 -------- d-----w- C:\compaq
2011-06-03 00:23 . 2001-11-18 06:51 61440 ----a-w- c:\windows\system32\SanCpl.cpl
2011-06-03 00:23 . 2011-06-03 00:23 -------- d-----w- c:\program files\SiSoftware
2011-06-03 00:23 . 1998-10-29 23:45 306688 ----a-w- c:\windows\IsUninst.exe
2011-06-02 23:42 . 2011-06-15 06:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 09:00 . 2010-09-04 23:06 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-06 23:51 . 2011-05-06 23:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1630676F-2156-406C-AC6E-C8DD2D749F40}]
2011-06-18 05:23 349696 ----a-w- c:\windows\system32\audiosrv32.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42C53A7C-8C1D-9B71-3EDD-9A05955EC5C0}]
2011-06-18 05:23 169472 ----a-w- c:\windows\system32\msxml3r32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart\0lsdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
2001-03-28 09:00 102400 ----a-w- c:\program files\Creative\SBLive\Program\AHQInit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 08:00 90112 ----a-w- c:\windows\Updreg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"avgwd"=2 (0x2)
"AVGIDSAgent"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\catsrv32.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/4/2010 4:06 PM 64512]
R2 MSDTC32;Distributed Transaction Coordinator ;c:\windows\system32\catsrv32.exe [6/17/2011 10:23 PM 764416]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/15/2011 3:09 PM 366640]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [5/25/2011 2:00 AM 2151128]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-18 21:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\pctspk.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\shell32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-18 21:09:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-19 04:09
.
Pre-Run: 69,929,058,304 bytes free
Post-Run: 70,068,125,696 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 24CFEF83B6C0D80C804E245686F9837C

Thanks again, I will check out things to see what it's doing now and let you know. Laura.

#7 thewhiteowl

thewhiteowl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 18 June 2011 - 11:52 PM

Okay and WOW! no redirects and it's loading pages so much faster!

I'm not going to do much as I don't want to get re-infected but so far so good. Thanks! Laura.

PS I figure we are not done...

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 19 June 2011 - 08:24 AM

Laura:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

http://www.bleepingcomputer.com/forums/topic404466.html
Collect::
c:\windows\system32\shell32.exe
c:\windows\system32\catsrv32.exe
c:\windows\system32\audiosrv32.dll
c:\windows\system32\msxml3r32.dll
Driver::
MSDTC32
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1630676F-2156-406C-AC6E-C8DD2D749F40}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42C53A7C-8C1D-9B71-3EDD-9A05955EC5C0}]

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 thewhiteowl

thewhiteowl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 19 June 2011 - 11:17 AM

It was running so well I was shocked to discover I was still infected!

Combofix log

ComboFix 11-06-17.04 - laura 2 06/19/2011 8:32.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.768.486 [GMT -7:00]
Running from: c:\documents and settings\laura 2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\laura 2\Desktop\CFScript.txt
.
file zipped: c:\windows\system32\audiosrv32.dll
file zipped: c:\windows\system32\catsrv32.exe
file zipped: c:\windows\system32\msxml3r32.dll
file zipped: c:\windows\system32\shell32.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{a6ad7a64-2807-4347-85e0-f846a2c5696c}
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{a6ad7a64-2807-4347-85e0-f846a2c5696c}\chrome.manifest
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{a6ad7a64-2807-4347-85e0-f846a2c5696c}\chrome\xulcache.jar
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{a6ad7a64-2807-4347-85e0-f846a2c5696c}\defaults\preferences\xulcache.js
c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{a6ad7a64-2807-4347-85e0-f846a2c5696c}\install.rdf
c:\documents and settings\LocalService\Application Data\02000000d08972cd1270C.manifest
c:\documents and settings\LocalService\Application Data\02000000d08972cd1270O.manifest
c:\documents and settings\LocalService\Application Data\02000000d08972cd1270P.manifest
c:\documents and settings\LocalService\Application Data\02000000d08972cd1270S.manifest
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MSDTC32
-------\Service_MSDTC32
.
.
((((((((((((((((((((((((( Files Created from 2011-05-19 to 2011-06-19 )))))))))))))))))))))))))))))))
.
.
2011-06-19 15:26 . 2011-06-19 15:43 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-18 05:23 . 2011-06-18 05:23 764416 ----a-w- c:\windows\system32\shell32.exe
2011-06-18 05:23 . 2011-06-18 05:23 169472 ----a-w- c:\windows\system32\msxml3r32.dll
2011-06-18 05:23 . 2011-06-18 05:23 764416 ----a-w- c:\windows\system32\catsrv32.exe
2011-06-18 05:23 . 2011-06-18 05:23 349696 ----a-w- c:\windows\system32\audiosrv32.dll
2011-06-15 23:36 . 2011-06-15 23:36 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-15 23:33 . 2011-06-15 23:34 -------- d-----w- c:\program files\softendo.com
2011-06-15 23:29 . 2011-06-15 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-06-15 23:27 . 2011-06-16 22:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-06-15 23:27 . 2011-06-15 23:27 -------- d-----w- c:\program files\Oberon Media
2011-06-15 23:27 . 2011-06-15 23:27 -------- d-----w- c:\program files\GamesBar
2011-06-15 23:27 . 2011-06-15 23:27 -------- d-----w- c:\program files\Common Files\Oberon Media
2011-06-15 23:24 . 2011-06-15 23:24 -------- d-----w- C:\Media
2011-06-15 23:23 . 2011-06-15 23:23 -------- d-----w- c:\program files\Common Files\InstallShield
2011-06-15 22:32 . 2011-06-15 23:33 -------- d-----w- c:\documents and settings\Laura Linvingston
2011-06-15 22:13 . 2011-06-15 22:28 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-15 22:10 . 2011-06-15 22:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-06-15 22:09 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-15 22:09 . 2011-06-15 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-15 22:09 . 2011-06-15 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-15 20:49 . 2011-06-15 20:49 -------- d-----w- c:\program files\Trend Micro
2011-06-15 20:43 . 2011-06-15 20:43 0 ---ha-w- C:\aaw7boot.cmd
2011-06-15 17:11 . 2011-06-15 17:11 -------- d-----w- c:\program files\Glarysoft
2011-06-15 08:56 . 2011-06-15 08:56 -------- d-----w- c:\program files\beavis
2011-06-15 08:53 . 2011-06-15 08:53 -------- d-----w- c:\program files\PopCap Games
2011-06-15 08:51 . 2011-06-15 08:51 -------- d-----w- c:\program files\GameHouse
2011-06-15 06:37 . 2011-06-19 03:58 -------- d-----w- c:\documents and settings\laura 2
2011-06-15 04:09 . 2011-06-15 04:09 -------- d-----w- C:\found.000
2011-06-15 02:56 . 2011-06-15 22:52 -------- d-----w- C:\winxp
2011-06-15 01:29 . 2011-06-15 01:29 -------- d-----w- C:\$AVG
2011-06-15 00:42 . 2011-06-15 00:42 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-15 00:35 . 2011-06-19 03:35 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-14 23:11 . 2011-06-15 23:36 -------- d-----w- c:\documents and settings\Administrator
2011-06-07 19:10 . 2011-06-07 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Friends Games
2011-06-07 19:05 . 2011-06-15 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Oberon Media
2011-06-07 19:05 . 2011-06-07 19:05 -------- d-----w- c:\program files\MSN Games
2011-06-07 19:04 . 2011-06-15 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\GamesBar
2011-06-06 19:55 . 2011-06-06 19:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-06 19:55 . 2011-06-06 19:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-06-04 00:02 . 2011-06-15 23:26 -------- d-----w- c:\program files\Xvid
2011-06-04 00:02 . 2009-06-07 23:25 77824 ----a-w- c:\windows\system32\xvid.ax
2011-06-04 00:01 . 2011-06-15 22:39 -------- d-----w- c:\program files\XP Codec Pack
2011-06-03 15:12 . 1999-08-27 08:00 32768 ----a-w- c:\windows\system\ahqman.dll
2011-06-03 15:11 . 1999-08-27 08:00 32768 ----a-w- c:\windows\system32\ahqman.dll
2011-06-03 15:09 . 2000-05-11 08:00 90112 ----a-w- c:\windows\Updreg.exe
2011-06-03 15:07 . 1998-06-05 09:00 84992 ----a-w- c:\windows\system32\sfcvrt32.dll
2011-06-03 15:07 . 1995-01-13 21:10 149504 ----a-w- c:\windows\system32\mfcans32.dll
2011-06-03 15:07 . 1995-01-13 21:10 108032 ----a-w- c:\windows\system32\mfcuia32.dll
2011-06-03 15:07 . 1997-06-02 11:06 34816 ----a-w- c:\windows\CTRes32.dll
2011-06-03 15:07 . 1996-05-23 09:24 24976 ----a-w- c:\windows\ctres.dll
2011-06-03 15:07 . 1995-08-30 09:02 82432 ----a-w- c:\windows\system32\ctwflt32.dll
2011-06-03 15:07 . 1995-07-13 09:01 26768 ----a-w- c:\windows\system32\ctl3d.dll
2011-06-03 15:07 . 1994-12-05 10:11 53552 ----a-w- c:\windows\ctccw.dll
2011-06-03 15:06 . 1998-03-19 08:00 3584 ----a-w- c:\windows\system32\Ahqcpres.dll
2011-06-03 15:06 . 1998-03-19 08:00 18432 ----a-w- c:\windows\system32\Audiohq.cpl
2011-06-03 15:06 . 1999-10-07 09:00 55808 ----a-w- c:\windows\system32\CtMp3.Crl
2011-06-03 15:06 . 1999-12-13 08:01 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2011-06-03 15:06 . 1999-11-18 08:00 25088 ----a-w- c:\windows\system32\CTSVCCTL.EXE
2011-06-03 14:26 . 2011-06-03 15:03 -------- d-----w- C:\compaq
2011-06-03 00:23 . 2001-11-18 06:51 61440 ----a-w- c:\windows\system32\SanCpl.cpl
2011-06-03 00:23 . 2011-06-03 00:23 -------- d-----w- c:\program files\SiSoftware
2011-06-03 00:23 . 1998-10-29 23:45 306688 ----a-w- c:\windows\IsUninst.exe
2011-06-02 23:42 . 2011-06-15 06:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-06 23:51 . 2011-05-06 23:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
2001-03-28 09:00 102400 ----a-w- c:\program files\Creative\SBLive\Program\AHQInit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 08:00 90112 ----a-w- c:\windows\Updreg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"avgwd"=2 (0x2)
"AVGIDSAgent"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\catsrv32.exe"=
.
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/15/2011 3:09 PM 366640]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-19 08:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\pctspk.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-19 08:49:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-19 15:49
ComboFix2.txt 2011-06-19 04:09
.
Pre-Run: 70,066,241,536 bytes free
Post-Run: 70,074,802,176 bytes free
.
- - End Of File - - CE6B17998C55E4EB19D308D6BB4FE9E3
Upload was successful


Mbam log

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6896

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/19/2011 9:04:00 AM
mbam-log-2011-06-19 (09-04-00).txt

Scan type: Quick scan
Objects scanned: 155376
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\02000000d08972cd1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000d08972cd1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000d08972cd1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000d08972cd1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\audiosrv32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\shell32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Thanks again and I will be awaiting further instruction, Laura

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 19 June 2011 - 08:30 PM

Laura:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 thewhiteowl

thewhiteowl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 20 June 2011 - 01:04 AM

Okay, a couple of things. Eset asked me to download an app,so I did. Was I supposed to disable AV? Because I didn't. Was I supposed to check box for "Scan Archives" ? Because I did. It only took about 3 hours to scan so that's not too bad. Was I supposed to remove ESET from the PC? I didn't. I didn't get a log, i got threats found, it follows. 15 of them.

C:\Documents and Settings\laura 2\My Documents\downloads\media.player.codec.pack.v3.9.5.setup.exe Win32/Adware.Toolbar.Dealio application
C:\Documents and Settings\laura 2\My Documents\downloads\superslotscasino.exe Win32/CazinoSilver application
C:\Qoobox\Quarantine\C\Documents and Settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{87682015-93ef-4e6a-b7b6-27738e771b7f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{87682015-93ef-4e6a-b7b6-27738e771b7f}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{a6ad7a64-2807-4347-85e0-f846a2c5696c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\laura 2\Application Data\Mozilla\Firefox\Profiles\gvxvvf7t.default\extensions\{a6ad7a64-2807-4347-85e0-f846a2c5696c}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\System Volume Information\_restore{E93F4EB5-872D-4181-ADF4-3054DB1F93BD}\RP385\A0033346.exe a variant of Win32/Adware.Gamevance.AS application
C:\System Volume Information\_restore{E93F4EB5-872D-4181-ADF4-3054DB1F93BD}\RP385\A0033348.exe Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{E93F4EB5-872D-4181-ADF4-3054DB1F93BD}\RP385\A0033352.exe Win32/CazinoSilver application
C:\System Volume Information\_restore{E93F4EB5-872D-4181-ADF4-3054DB1F93BD}\RP388\A0036579.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{E93F4EB5-872D-4181-ADF4-3054DB1F93BD}\RP389\A0036768.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{E93F4EB5-872D-4181-ADF4-3054DB1F93BD}\RP389\A0036789.exe a variant of Win32/Adware.Gamevance.AS application
C:\System Volume Information\_restore{E93F4EB5-872D-4181-ADF4-3054DB1F93BD}\RP389\A0036806.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{E93F4EB5-872D-4181-ADF4-3054DB1F93BD}\RP389\A0036838.sys Win32/Olmasco.E trojan
C:\System Volume Information\_restore{E93F4EB5-872D-4181-ADF4-3054DB1F93BD}\RP390\A0037122.manifest Win32/TrojanDownloader.Tracur.F trojan

I updated Java and deleted the files before I ran this. I appropriate, I hope you had a nice Father's Day.
The pc is faster than it has ever been and I'm no longer getting redirects in Firefox or IE. Thanks and hope to hear from you soon, Laura.

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 20 June 2011 - 08:32 AM

Laura:

The ESET scan went just fine the way you ran it - you may uninstall it now.

ESET flagged your media player codec pack and super-slot casino programs as Potentially unwnted. A potentially unwanted application is a program that contains adware, installs toolbars or has other unclear objectives. I'll leave those up to you - if you no longer want them just remove them via Control Panel > Add/Remove programs.

Other than that your logs look good. Those other ESET detections will be cleared out when we unistall ComboFix. Now I have some very important cleanup for you to take care of:

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Re-install an anti-virus program. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 thewhiteowl

thewhiteowl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 20 June 2011 - 10:48 AM

Okay, I did all the cleaning up. I uninstalled adaware and installed Avira. Since I have Mbam, do I need more anti spyware?

This PC is running great. No redirects and it's faster than it has ever been. Thanks to you and all those who volunteer their time and expertise here.

The article was very informative I will be a much safer surfer for having read it. Thanks so much, Laura

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 20 June 2011 - 11:13 AM

You're welcome, Laura. Avira and MBAM should be a sufficient combo of protection for you. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 25 June 2011 - 04:27 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users