Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search links disabled - not redirected


  • This topic is locked This topic is locked
44 replies to this topic

#1 philter57

philter57

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 09 February 2012 - 10:07 AM

I using Malwarebytes Pro, with Protection Enabled and Avast with all RealTime Sheilds on.

While watching the SuperBowl commercials on YouTube, I got the following notice from Malwarebytes;
"[OpenEvent] Failed to perform desired action. Error Code: 2"

Checking the program, the "enable protection" had been disabled. When trying to restart it, this;
"The system cannot find the file specified."

Ran SUPERAntiSpyware. It found nothing.

Noticed Google search links were disabled.(not re-directed)

Reinstalled Malwarebytes with no problem. Protection enabled again.

Tried a System Restore to a point set about 18hrs before. Upon the reboot, the system froze. And remains so.

So obviously I can not provide a DDS or GMER log at this point. I'm on a borrowed computer.
I do have the Microsoft Windows Recovery Console installed.

This is my business computer. I do have most accounting files saved(I hope) but there is so much more than that. I can't do invoicing, etc. I am crazy desperate. Hope you can help.

Sincerely,
Phil

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:56 PM

Posted 11 February 2012 - 03:01 AM

Hello philter57 and welcome to BC.

Sorry about the delay, do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 philter57

philter57
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 11 February 2012 - 08:53 AM

Oh yes. Please.
I'm very greatful for anything you can do.
SIncerely,
Phil

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:56 PM

Posted 11 February 2012 - 09:56 AM

Hi,

Can you update me please with the current status of your computer? Can you boot normally now? If not, have you tried doing a hard reboot?

What is your OS? 32 or 64 bit?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 philter57

philter57
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 11 February 2012 - 02:23 PM

Okay a little movement.
The computer will boot now. And at this point Google search links are working. But Malwarebytes continues to have its files corrupted.
I can't reply to you from the problem computer because of the way your web site works. So I'm transferring this info to this computer. Maybe it will be more problematic as we proceed.

Here's the dds file and I've attached the remaining files for you.
Thanks so much for your help with this.
Phil

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Phil at 13:03:38 on 2012-02-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3455.2634 [GMT -5:00]
.
AV: The Shield Deluxe 2009 Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\- Internet\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\- Internet\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\- PROGRAM FILES\CDBurnerXP\NMSAccessU.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\- Internet\ClipPlus\ClipPlus36.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\- Internet\Mozilla Firefox\firefox.exe
C:\Program Files\- Internet\Mozilla Firefox\plugin-container.exe
C:\Program Files\- Internet\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\- Internet\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://webmail.primus.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [H/PC Connection Agent] "c:\progra~1\micros~3\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\- internet\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [WIAWizardMenu] RUNDLL32.EXE c:\windows\system32\sti_ci.dll,WiaCreateWizardMenu
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\clippl~1.lnk - c:\program files\- internet\clipplus\ClipPlus36.exe
IE: E&xport to Microsoft Excel - c:\progra~1\-progr~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\-progr~1\micros~2\office11\REFIEBAR.DLL
DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254606308687
TCP: DhcpNameServer = 192.168.2.1 216.254.136.227 216.254.141.13
TCP: Interfaces\{238EB0B6-273D-457F-B4E3-D6ED7A12B19D} : DhcpNameServer = 192.168.2.1 216.254.136.227 216.254.141.13
Notify: !SASWinLogon - c:\program files\- internet\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\- internet\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\phil\application data\mozilla\firefox\profiles\c1g9m4zb.default\
FF - prefs.js: browser.search.selectedEngine - Hyperwords
FF - prefs.js: browser.startup.homepage - hxxp://www.weatheroffice.gc.ca/city/pages/on-118_metric_e.html
FF - component: c:\program files\- internet\mozilla firefox\components\browserdirprovider.dll
FF - component: c:\program files\- internet\mozilla firefox\components\brwsrcmp.dll
FF - plugin: c:\program files\- internet\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\program files\- internet\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\- internet\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\- internet\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\- internet\mozilla firefox\plugins\nppl3260.dll
FF - plugin: c:\program files\- internet\mozilla firefox\plugins\nprpjplug.dll
FF - plugin: c:\program files\- internet\real alternative\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\- internet\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\- internet\vlc\npvlc.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-5 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-26 314456]
R1 SASDIFSV;SASDIFSV;c:\program files\- internet\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\- internet\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\- internet\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-26 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\- internet\alwil software\avast5\AvastSvc.exe [2010-2-26 44768]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-11 40776]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-10-3 39456]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-10-3 1374464]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\documents and settings\phil\desktop\internet\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\documents and settings\phil\desktop\internet\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-28 20464]
.
=============== Created Last 30 ================
.
2012-02-11 17:53:54 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-09 03:19:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-02-09 03:19:01 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-09 02:56:47 -------- d-----w- c:\documents and settings\phil\local settings\application data\Babylon
2012-02-09 02:56:46 -------- d-----w- c:\documents and settings\phil\application data\Babylon
2012-02-06 06:02:00 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{637e8a1e-0b8d-4785-9833-2004efc54f85}\offreg.dll
2012-02-06 06:00:30 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{637e8a1e-0b8d-4785-9833-2004efc54f85}\mpengine.dll
.
==================== Find3M ====================
.
2012-01-27 05:21:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-02 14:06:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
============= FINISH: 13:05:19.75 ===============

Attached Files



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:56 PM

Posted 11 February 2012 - 09:49 PM

Hi Phil,

Glad to know that the computer is booting properly now making the cleaning process more easier now.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 philter57

philter57
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 12 February 2012 - 01:22 PM

Hi Sempai,
Attached is the ComboFix log. Sorry to find it makes IE the default browser. Oh well, only for the moment.
At first look, all seems to be functioning again. Am I being overly optimistic?
Thanks again,
p

Attached Files



#8 philter57

philter57
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 12 February 2012 - 07:00 PM

Something has come up with browsing. It seems when I try to login into a site to make a purchase(ebay and the vendor directly), I'm being endlessly looped back to the login page. I'm being blocked in the same way from contacting ebay support. Pretty sure cookies, etc. are good at my end. Coincidence?

Edited by philter57, 12 February 2012 - 07:06 PM.


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:56 PM

Posted 13 February 2012 - 10:48 AM

Pretty sure cookies, etc. are good at my end. Coincidence?


Not really sure at the moment, what browser do you use? Please do not attach logs unless instructed.


We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

SecCenter::
{6C4BB89C-B0ED-4F41-A29C-4373888923BB}

DirLook::
c:\documents and settings\phil\local settings\application data\Babylon
c:\documents and settings\phil\application data\Babylon

ClearJavaCache::


4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 philter57

philter57
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 13 February 2012 - 12:20 PM

I'm using Firefox.

The instructions did ask that I include the log with my next post.
"When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt)."
But for sure I will follow your words instead.

Attached is the log (ComboFix2) from the last scan.

Thanks for your patience.
p

Attached Files



#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:56 PM

Posted 13 February 2012 - 12:28 PM

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, but make sure you copy the logfile first.
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 philter57

philter57
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 13 February 2012 - 02:46 PM

I ran ESET and it found no threats or infected files. So I guess that's why it produced no log.
When I ran Avast, Malwarebytes and SUPERAnitSpyware a couple of days ago they found nothing as well.
p

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:56 PM

Posted 13 February 2012 - 07:02 PM

How's the computer running?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 philter57

philter57
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 13 February 2012 - 09:31 PM

I still can't login to web sites. Nothing else has come up yet.

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:56 PM

Posted 14 February 2012 - 07:29 AM

Is this problem only when using Firefox? How about IE?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users