Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searches being redirected


  • This topic is locked This topic is locked
19 replies to this topic

#1 JohnH11br /

JohnH11br /

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 10 February 2012 - 12:35 AM

My frustration level has reached its’ limit. I have lost count on how long I have been infected with this nasty bug, but it’s been a long time. I’ve run almost every scan to try to get rid of it to no avail. To reiterate I am infected with the search engine result hijacks/redirects. Meaning I’ll search for something in a search engine like Bing or Google and when I go to click the link it redirects me to a whole other site that has nothing to do with the intended site I was trying to enter. I don’t really know what infection it is mainly because I’ve read where it’s described as a virus, malware, spyware, etc. So I’ve never really taken a hold of what exactly it is. I have been able to document the sites, they are: feed.bizzclick.com, click.scour, get answers fast, gimme answers, search fast results, happili, admarketplace.net. Quite a few as you can tell. I’ve learned to deal with it, for example if I search something and click the link immediately I won’t be redirected, but if I wait more than two seconds then I’ll be redirected. Another one is when I have the results I’ll hover the cursor over the link and the url address will show up at the bottom, once I click and hold the link the url address will then change to mainly feed.bizzclick.com or another mainly composed of numbers. I’ll then drag the link a little bit and let it fall back so as to not actually enter the site, then when I would hover over it the link would have permanently changed, so it’s longer what it originally was but the hijack site. All the other result links are fine and I can click them without being redirected, seems it only affects one link.

So as you see I’ve learned to deal with it, but I don’t want that, I want to permanently get rid of it. Like I stated I have ran many scans in attempts to get rid of it. I’ve also read instructions on how to manually get rid of it, I’m somewhat advanced when it comes to working with computers, but not enough where I can comfortably mess with the registry or anything dealing with the OS for that matter. I’ve run MalwareBytes, SuperAntiSpyware, Avast anti-virus, CCleaner, Hitman pro, Norton Power Eraser, and TDSKiller. They were unable to successfully remove the bug. I’ve also tried to run Spyware Doctor, Spybot, Ad Aware, Hijackthis, and Bitdefender. I was unable to use these programs because I had difficulty and/or problems installing them. One problem was that they were unable to connect to the internet, I have an internet connection but some programs fail to connect to it. I was able to install Hijackthis, but it told me to copy and paste the program to the hard drive in order to successfully use it right which threw me off a bit, I then read statements while researching that said to cautionary use that program and under the orders of pros because it could cause some problems so I uninstalled it and decided to use it when told to.

I ran SuperAntiSpyware in safe mode and it found over 100 infections, to which I successfully removed, was hoping that the hijack bug was in there but to my disappointment it wasn’t. I apologize if the post is a bit long, but I really wanted to be thorough and specific in my description of my problem. Really hoping someone can help me to finally get rid of it. By the way my default browser is the lastest version of Firefox and all my add-ons are up to date, I only have one’s that I need, i.e. flash, Java. I don’t use IE, pretty much ignore it, used a dummy proxy on it. The proxy server is directed to 0.0.0.0 and port 80. Nothing is updated on it, hopefully that isn’t a liability or the origins of the problems. If you have further questions or requests feel free to ask, I’ll be patiently waiting.

Edited by JohnH11br /, 10 February 2012 - 12:36 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:25 PM

Posted 10 February 2012 - 06:43 PM

Hi,

Please do the following:



Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 JohnH11br /

JohnH11br /
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 12 February 2012 - 10:27 PM

Just an update on my situation. I did a startup scan with Avast and it appears to have gotten rid of the hijacking, my searches are no longer being redirected. So I no longer need any assistance in fixing the problem I had since it seems to be gone. I have the bugs in my vault if you would still want to see what I had I have no problem posting them. Though I still have problems with some of my programs not being able to connect/detect the internet, should I post this problem in another section of the forum?

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:25 PM

Posted 13 February 2012 - 09:56 AM

I have no idea what could be wrong unless I can get a look at the diagnostic logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:25 PM

Posted 19 February 2012 - 06:35 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:25 PM

Posted 23 February 2012 - 11:55 AM

This topic has been re-opened at the request of the person who originally posted.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 JohnH11br /

JohnH11br /
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 24 February 2012 - 12:57 AM

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_30
Run by Steve at 23:58:24 on 2012-02-22
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Replay Media Catcher\FLVSrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dell Remote Access\ezi_ra.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Steve\Desktop\dds.scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mWinlogon: Userinit=Userinit.exe,
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; AskTB5.4)" -"http://www.shockwave.com/gamelanding/football3d.jsp"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Performance Center] c:\program files\ascentive\performance center\ApcMain.exe -m
mRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /run
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [AntiSpyware Service] c:\windows\temp\jebqx98xo.exe
dRun: [Windows System Recover!] c:\windows\temp\login.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67
TCP: Interfaces\{F882070E-ED29-47A7-8387-06A7A44F36E7} : DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\steve\appdata\roaming\mozilla\firefox\profiles\acn8vfbr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? hitmanpro35;Hitman Pro 3.5 Support Driver
R? Viewpoint Manager Service;Viewpoint Manager Service
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? !SASCORE;SAS Core Service
S? aswFsBlk;aswFsBlk
S? aswMonFlt;aswMonFlt
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? DockLoginService;Dock Login Service
S? FontCache;Windows Font Cache Service
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
.
=============== Created Last 30 ================
.
2012-02-22 02:30:00 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4aba634b-9c5b-4aa6-ab32-26679405abea}\mpengine.dll
2012-01-27 05:09:31 -------- d-----w- c:\users\steve\appdata\roaming\TestApp
2012-01-27 04:28:02 -------- d-----w- c:\program files\ESET
2012-01-26 00:24:26 -------- d-----w- c:\program files\Lavasoft
2012-01-25 22:51:26 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-25 22:51:26 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-25 22:51:20 41184 ----a-w- c:\windows\avastSS.scr
.
==================== Find3M ====================
.
2012-01-29 11:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 22:34:29 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2011-12-27 05:34:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-15 14:12:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 23:59:11.80 ===============

Attach log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_30
Run by Steve at 23:58:24 on 2012-02-22
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Replay Media Catcher\FLVSrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dell Remote Access\ezi_ra.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Steve\Desktop\dds.scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mWinlogon: Userinit=Userinit.exe,
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; AskTB5.4)" -"http://www.shockwave.com/gamelanding/football3d.jsp"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Performance Center] c:\program files\ascentive\performance center\ApcMain.exe -m
mRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /run
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [AntiSpyware Service] c:\windows\temp\jebqx98xo.exe
dRun: [Windows System Recover!] c:\windows\temp\login.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67
TCP: Interfaces\{F882070E-ED29-47A7-8387-06A7A44F36E7} : DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\steve\appdata\roaming\mozilla\firefox\profiles\acn8vfbr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? hitmanpro35;Hitman Pro 3.5 Support Driver
R? Viewpoint Manager Service;Viewpoint Manager Service
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? !SASCORE;SAS Core Service
S? aswFsBlk;aswFsBlk
S? aswMonFlt;aswMonFlt
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? DockLoginService;Dock Login Service
S? FontCache;Windows Font Cache Service
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
.
=============== Created Last 30 ================
.
2012-02-22 02:30:00 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4aba634b-9c5b-4aa6-ab32-26679405abea}\mpengine.dll
2012-01-27 05:09:31 -------- d-----w- c:\users\steve\appdata\roaming\TestApp
2012-01-27 04:28:02 -------- d-----w- c:\program files\ESET
2012-01-26 00:24:26 -------- d-----w- c:\program files\Lavasoft
2012-01-25 22:51:26 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-25 22:51:26 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-25 22:51:20 41184 ----a-w- c:\windows\avastSS.scr
.
==================== Find3M ====================
.
2012-01-29 11:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 22:34:29 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2011-12-27 05:34:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-15 14:12:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 23:59:11.80 ===============

Edited by JohnH11br /, 24 February 2012 - 12:57 AM.


#8 JohnH11br /

JohnH11br /
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 24 February 2012 - 01:00 AM

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-23 00:04:15
-----------------------------
00:04:15.049 OS Version: Windows 6.0.6002 Service Pack 2
00:04:15.050 Number of processors: 1 586 0x1601
00:04:15.051 ComputerName: STEVE-PC UserName: Steve
00:04:17.335 Initialize success
00:04:18.189 AVAST engine defs: 12022201
00:05:04.783 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
00:05:04.786 Disk 0 Vendor: WDC_WD3200AAKS-75L9A0 01.03E01 Size: 305245MB BusType: 3
00:05:05.030 Disk 0 MBR read successfully
00:05:05.034 Disk 0 MBR scan
00:05:05.038 Disk 0 Windows VISTA default MBR code
00:05:05.100 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
00:05:05.156 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 98304
00:05:05.226 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 294956 MB offset 21069824
00:05:05.328 Disk 0 scanning sectors +625139712
00:05:05.557 Disk 0 scanning C:\Windows\system32\drivers
00:06:27.158 Service scanning
00:06:44.234 Modules scanning
00:09:51.600 Disk 0 trace - called modules:
00:09:51.990 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
00:09:51.997 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x854e2210]
00:09:52.003 3 CLASSPNP.SYS[883a98b3] -> nt!IofCallDriver -> [0x84a67958]
00:09:52.009 5 acpi.sys[806996bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84a4f528]
00:09:52.882 AVAST engine scan C:\Windows
00:12:05.610 AVAST engine scan C:\Windows\system32
00:27:48.246 AVAST engine scan C:\Windows\system32\drivers
00:28:27.440 AVAST engine scan C:\Users\Steve
01:36:42.668 AVAST engine scan C:\ProgramData
02:26:32.968 Scan finished successfully
06:37:22.350 Disk 0 MBR has been saved successfully to "C:\Users\Steve\Desktop\MBR.dat"
06:37:22.398 The log file has been saved successfully to "C:\Users\Steve\Desktop\aswMBR.log"

Attached Files

  • Attached File  MBR.zip   565bytes   0 downloads


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:25 PM

Posted 24 February 2012 - 04:36 PM

Hi,

Please do the following

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.




NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Deleteis selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 JohnH11br /

JohnH11br /
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 26 February 2012 - 03:25 AM

I came across a problem trying to run ComboFix. I followed all the procedures, but it detected the following:

antivirus: Mcafee virusscan
antivirus: antivir desktop
antispyware: Mcafee virusscan
antispyware: antivir desktop

I was under the impression that I had removed Mcafee, I tried to search for it, but couldn't find anything concrete - just something that windows couldn't open. I attempted once to install Avira, but was also the impression that I quit that program and again I couldn't find anything concrete to remove or disable any of the two.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:25 PM

Posted 26 February 2012 - 09:50 AM

Try the McAfee removal tool, then just proceed with ComboFix even if it tells you it is still active.

Download and run the McAfee Removal Tool
Instructions can be found here
http://service.mcafee.com/FAQDocument.aspx?id=TS100507

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 JohnH11br /

JohnH11br /
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 27 February 2012 - 12:06 PM

I don't know if ComboFix worked. It took maybe 10 or so hours scanning, during the scan I got a message from Windows telling me that Freeware implementation of XCACLS has stopped working. I didn't mouseclick anything but the notice that came up, so I'm unaware if it stalled or something happened. I exited and restarted the computer and I got a message that the Application 0x800106ba had failed to initialized. I also got a message telling me that the Recycle Bin is corrupted so I clicked yes to empty that drive. I thought the internet was supposed to be disconnected and some of the computer images be changed, but the icon showed internet and everything was fine. I don't know anymore. Were you at least able to maybe get a hint of what may be wrong that some programs are unable to connect/detect the internet from all the previous logs?

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:25 PM

Posted 28 February 2012 - 12:49 PM

Please have a look and see if there is a log located at C:\ComboFix.txt

If so please post it.

If there is no log, then please delete the copy that you have on your desktop and download a fresh copy, re-run it, make sure your security programs are disabled as they may have interfered

post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 JohnH11br /

JohnH11br /
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 29 February 2012 - 02:49 PM

Ran ComboFix from safe mode and it said there was rootkit activity and had to reboot. So I clicked reboot, but it didn't seem like it left a log, I even looked in (C:) combofix and still nothing.

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:25 PM

Posted 29 February 2012 - 02:57 PM

Please rerun it and see if it completes this time,

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users