Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect after Windows Scan virus infection


  • Please log in to reply
21 replies to this topic

#1 jluebke

jluebke

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 06 March 2012 - 02:17 PM

Hi --

I'm writing for some help with a persistent issue I'm having after dealing with a virus infection. I'm running Windows XP and about 2 weeks ago I dealt with a Windows Scan infection. I was able to use Rkill, MBAM and Unhide to knock it back, stop all the popups and fake warnings, and generally restore order.

However, both IE and Firefox are still running extremely slowly, and my Google Search results are getting hijacked. For now, I am working around this by copying shortcuts and pasting them into the address bar rather than clicking on the search result itself. This seems to avoid the issue, and no other sites/links appear to be infected except Google.

In the interim, I have done my best to get all relevant security updates for my software, uninstall some older insecure programs, and clean up my hard drive.

I guess there is still some sort of malware infection lingering, but MBAM scans are not turning up malicious items and Rkill does not terminate any processes. I have read numerous tutorials on this site and others, and they all seem to point to Combofix. I'm not an advanced user and have seen stern warnings about running Combofix if you don't know what you're doing. In any case, I don't feel comfortable taking matters into my own hands to that extent.

Please help a noob out. Thanks!

Edited by jluebke, 06 March 2012 - 02:18 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 AM

Posted 06 March 2012 - 03:07 PM

Hello and welcome let look a bit.

Are you on a router? Are other machines on it,if so are they redirecting?

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

>>>>>

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

>>>>
rerun an updated RKILL

Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

>>>>
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jluebke

jluebke
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 06 March 2012 - 03:15 PM

Hi boopme -- thanks a ton for the quick reply!

Yes, I'm on a router (Linksys wireless G type) but there are currently no other machines connected to it. I will run those scans/utilities as soon as I get home and post the logs here ASAP.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 AM

Posted 06 March 2012 - 03:23 PM

Ok, I'll look back this evening and you're welcome~!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 jluebke

jluebke
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 06 March 2012 - 06:07 PM

MiniToolBox by Farbar Version: 18-01-2012
Ran by Boss (administrator) on 06-03-2012 at 18:03:16
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

Intel® 82562V 10/100 Network Connection = Local Area Connection (Connected)
1394 Net Adapter = 1394 Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : SLAVE

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® 82562V 10/100 Network Connection

Physical Address. . . . . . . . . : 00-19-D1-2E-0A-DC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 68.94.156.1

68.94.157.1

Lease Obtained. . . . . . . . . . : Tuesday, March 06, 2012 11:55:36 AM

Lease Expires . . . . . . . . . . : Wednesday, March 07, 2012 11:55:36 AM

Server: dnsr1.sbcglobal.net
Address: 68.94.156.1

Name: google.com
Addresses: 74.125.225.64, 74.125.225.65, 74.125.225.66, 74.125.225.67
74.125.225.68, 74.125.225.69, 74.125.225.70, 74.125.225.71, 74.125.225.72
74.125.225.73, 74.125.225.78



Pinging google.com [74.125.225.130] with 32 bytes of data:



Reply from 74.125.225.130: bytes=32 time=53ms TTL=55

Reply from 74.125.225.130: bytes=32 time=51ms TTL=55



Ping statistics for 74.125.225.130:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 51ms, Maximum = 53ms, Average = 52ms

Server: dnsr1.sbcglobal.net
Address: 68.94.156.1

Name: yahoo.com
Addresses: 98.139.127.62, 98.139.183.24, 209.191.122.70



Pinging yahoo.com [98.139.127.62] with 32 bytes of data:



Reply from 98.139.127.62: bytes=32 time=123ms TTL=52

Reply from 98.139.127.62: bytes=32 time=118ms TTL=52



Ping statistics for 98.139.127.62:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 118ms, Maximum = 123ms, Average = 120ms

Server: dnsr1.sbcglobal.net
Address: 68.94.156.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 d1 2e 0a dc ...... Intel® 82562V 10/100 Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.101 192.168.1.101 20
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 20
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 20
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 20
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/24/2012 08:20:17 AM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00001de6.
Processing media-specific event for [svchost.exe!ws!]

Error: (02/23/2012 09:05:41 AM) (Source: Windows Search Service) (User: )
Description: The entry <MAPI://{S-1-5-21-4064463097-2716721866-2817761120-1006}/PERSONAL FOLDERS($66E13798)/X/INBOX/????????????????????????> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (02/21/2012 02:09:37 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (02/21/2012 00:11:04 AM) (Source: Windows Search Service) (User: )
Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context: Application, SystemIndex Catalog

Error: (02/21/2012 00:10:52 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (02/21/2012 00:04:07 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile: System.Workflow.Activities, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070020

Error: (02/20/2012 08:27:14 PM) (Source: Application Error) (User: )
Description: Fault bucket -1985428170.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (02/20/2012 05:04:29 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00001de6.
Processing media-specific event for [svchost.exe!ws!]

Error: (02/17/2012 09:26:16 AM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00001de6.
Processing media-specific event for [svchost.exe!ws!]

Error: (02/15/2012 01:45:20 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.


System errors:
=============
Error: (03/01/2012 08:25:42 PM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Central Control Component service terminated unexpectedly. It has done this 2 time(s).

Error: (03/01/2012 08:25:42 PM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Proxy Service service terminated unexpectedly. It has done this 2 time(s).

Error: (03/01/2012 08:25:42 PM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Personal Firewall service terminated unexpectedly. It has done this 2 time(s).

Error: (03/01/2012 08:25:42 PM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Real-time Service service terminated unexpectedly. It has done this 2 time(s).

Error: (02/27/2012 11:33:14 PM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Central Control Component service terminated unexpectedly. It has done this 1 time(s).

Error: (02/27/2012 11:33:14 PM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Personal Firewall service terminated unexpectedly. It has done this 1 time(s).

Error: (02/27/2012 11:33:14 PM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Proxy Service service terminated unexpectedly. It has done this 1 time(s).

Error: (02/27/2012 11:33:14 PM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Real-time Service service terminated unexpectedly. It has done this 1 time(s).

Error: (02/26/2012 00:54:43 PM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Proxy Service service failed to start due to the following error:
%%1053

Error: (02/26/2012 00:54:43 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Trend Micro Proxy Service service to connect.


Microsoft Office Sessions:
=========================
Error: (02/24/2012 08:20:17 AM) (Source: Application Error)(User: )
Description: svchost.exe5.1.2600.5512ntdll.dll5.1.2600.605500001de6

Error: (02/23/2012 09:05:41 AM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
MAPI://{S-1-5-21-4064463097-2716721866-2817761120-1006}/PERSONAL FOLDERS($66E13798)/X/INBOX/????????????????????????

Error: (02/21/2012 02:09:37 AM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (02/21/2012 00:11:04 AM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Error: (02/21/2012 00:10:52 AM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (02/21/2012 00:04:07 AM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile: System.Workflow.Activities, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070020
System.Workflow.Activities, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Error: (02/20/2012 08:27:14 PM) (Source: Application Error)(User: )
Description: -1985428170

Error: (02/20/2012 05:04:29 PM) (Source: Application Error)(User: )
Description: svchost.exe5.1.2600.5512ntdll.dll5.1.2600.605500001de6

Error: (02/17/2012 09:26:16 AM) (Source: Application Error)(User: )
Description: svchost.exe5.1.2600.5512ntdll.dll5.1.2600.605500001de6

Error: (02/15/2012 01:45:20 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.


=========================== Installed Programs ============================

Add or Remove Adobe Creative Suite 3 Web Premium (Version: 1.0)
Adobe Acrobat 9 Pro - English, Franšais, Deutsch (Version: 9.5.0)
Adobe Acrobat 9.5.0 - CPSID_83708
Adobe Anchor Service CS3 (Version: 1.0)
Adobe Asset Services CS3 (Version: 3)
Adobe Bridge 1.0 (Version: 1.0.1.1)
Adobe Bridge CS3 (Version: 2)
Adobe Bridge Start Meeting (Version: 1.0)
Adobe BridgeTalk Plugin CS3 (Version: 1.0)
Adobe Camera Raw 4.0 (Version: 4.0)
Adobe CMaps (Version: 1.0)
Adobe Color - Photoshop Specific (Version: 1.0)
Adobe Color Common Settings (Version: 1.0)
Adobe Color EU Extra Settings (Version: 1.0)
Adobe Color JA Extra Settings (Version: 1.0)
Adobe Color NA Recommended Settings (Version: 1.0)
Adobe Common File Installer (Version: 1.00.002)
Adobe Contribute CS3 (Version: 4.1)
Adobe Default Language CS3 (Version: 1.0)
Adobe Device Central CS3 (Version: 1.0)
Adobe Dreamweaver CS3 (Version: 9)
Adobe ExtendScript Toolkit 2 (Version: 2.0)
Adobe Extension Manager CS3 (Version: 1.8)
Adobe Fireworks CS3 (Version: 9.0)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.62)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Fonts All (Version: 1.0)
Adobe Help Center 2.0 (Version: 2.0.0)
Adobe Help Viewer CS3 (Version: 1)
Adobe Illustrator CS3 (Version: 13.0)
Adobe InDesign CS2 (Version: 004.000.000)
Adobe Linguistics CS3 (Version: 3.0.0)
Adobe MotionPicture Color Files (Version: 1.0)
Adobe PDF Library Files (Version: 8.0)
Adobe Photoshop CS3 (Version: 10)
Adobe Setup (Version: 1.0)
Adobe Stock Photos 1.0 (Version: 001.000.000)
Adobe Stock Photos CS3 (Version: 1.5)
Adobe SVG Viewer 3.0 (Version: 3.0)
Adobe Type Support (Version: 1.0)
Adobe Update Manager CS3 (Version: 5.1.0)
Adobe Version Cue CS3 Client (Version: 3)
Adobe Version Cue CS3 Server (Version: 3.0)
Adobe WAS CS3 (Version: 1.0)
Adobe WinSoft Linguistics Plugin (Version: 1.0)
Adobe XMP Panels CS3 (Version: 1.0)
Advanced Decoder Patch
AHV content for Acrobat and Flash (Version: 1)
AndreaMosaic 3.30.3
AOLIcon (Version: 1.00.0000)
Apple Application Support (Version: 2.1.6)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
CCleaner (Version: 3.16)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Consumer Complete Care Services Agreement (Version: 1.10.0000)
Creative MediaSource (Version: 3.00)
Critical Update for Windows Media Player 11 (KB959772)
DeductionPro 2006
DeductionPro 2007 (Version: 14.19)
DeductionPro 2008 (Version: 16.04)
DeductionPro 2009 (Version: 17.04)
Dell CinePlayer (Version: 3.0)
Dell Driver Reset Tool (Version: 1.02.0000)
Dell System Restore (Version: 2.00.0000)
Digital Content Portal (Version: 1.00.0000)
Documentation & Support Launcher (Version: 1.00.0000)
Dolet Light for Finale (Version: 1.0.1)
eWebEditPro with WebImageFX Client
Finale 2003
FLV Player 2.0 (build 25) (Version: 2.0 (build 25))
Games, Music, & Photos Launcher (Version: 1.00.0000)
GoldWave v5.18
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.3.2614.234)
Google Update Helper (Version: 1.3.21.99)
H&R Block Deluxe + Efile + State 2009 (Version: 09.04.7101)
H&R Block Deluxe + Efile + State 2010 (Version: 10.04.6402)
H&R Block Deluxe + Efile + State 2011 (Version: 11.05.6203)
H&R Block Michigan 2009 (Version: 1.09.3901)
H&R Block Michigan 2010 (Version: 1.10.3201)
High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)
HiJackThis (Version: 1.0.0)
Intel® Matrix Storage Manager
Intel® PRO Network Connections (Version: )
iTunes (Version: 10.5.3.3)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
Learn2 Player (Uninstall Only)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Small Business Edition 2003 (Version: 11.0.8173.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Mozilla Firefox 10.0.2 (x86 en-GB) (Version: 10.0.2)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Nikon Message Center (Version: 0.92.000)
Nikon RAW Codec (Version: 1.00.0000)
Nikon Transfer (Version: 1.1.0)
NVIDIA Drivers
PDF Settings (Version: 1.0)
Pdf995
PdfEdit995
Picture Control Utility (Version: 1.1.0)
PowerISO
Qualxserve Service Agreement (Version: 1.11.0000)
QuickTime (Version: 7.71.80.42)
RealPlayer Basic
Roxio DLA (Version: 5.2.0)
Roxio MyDVD LE (Version: 6.1.6)
Roxio RecordNow Audio (Version: 2.0.4)
Roxio RecordNow Copy (Version: 2.0.4)
Roxio RecordNow Data (Version: 2.0.4)
Secunia PSI (2.0.0.4003) (Version: 2.0.0.4003)
Sonic Activation Module (Version: 1.0)
Sound Blaster X-Fi (Version: 1.0)
SYNC My iTunes v1.1.61 (Version: 1.1.61)
TaxCut Michigan 2007 (Version: 1.07.5901)
TaxCut Michigan 2008 (Version: 1.08.4101)
TaxCut Premium + State + Efile 2008 (Version: 08.07.7101)
TaxCut Premium + State 2007 (Version: 07.04.0000)
TaxCut Premium 2006
Trend Micro PC-cillin Internet Security 14 (Version: 14.6)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows Internet Explorer 8 (KB973874) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
ViewNX (Version: 1.1.0)
Wacom Tablet
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 10 (Version: 9.00.3636)
Windows PowerShell™ 1.0 (Version: 2)
Windows Search 4.0 (Version: 04.00.6001.503)
Windows XP Service Pack 3 (Version: 20080414.031525)
Yahoo! BrowserPlus 2.9.8

========================= Memory info: ===================================

Percentage of memory in use: 55%
Total physical RAM: 2045.82 MB
Available physical RAM: 916.89 MB
Total Pagefile: 3938.04 MB
Available Pagefile: 2926.83 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.71 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:294.33 GB) (Free:73.3 GB) NTFS

========================= Users: ========================================

User accounts for \\SLAVE

Administrator Boss Guest
HelpAssistant SUPPORT_388945a0


**** End of log ****

#6 jluebke

jluebke
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 06 March 2012 - 06:08 PM

GooredFix by jpshortstuff (03.07.10.1)
Log created at 18:06 on 06/03/2012 (Boss)
Firefox version 10.0.2 (en-GB)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [05:54 21/02/2012]
{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} [22:08 03/03/2012]

C:\Documents and Settings\Boss\Application Data\Mozilla\Firefox\Profiles\14872twg.default\extensions\
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [06:04 12/01/2012]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [04:40 21/02/2012]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:08 03/03/2012]

-=E.O.F=-

#7 jluebke

jluebke
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 06 March 2012 - 06:22 PM

Below is my RKill log. I have tried a couple of times to run TDSSKiller, but it does not seem to be launching...

==================
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/06/2012 at 18:15:10.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Rkill completed on 03/06/2012 at 18:16:26.

#8 jluebke

jluebke
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 06 March 2012 - 07:05 PM

TDSSKiller is still not working for me. I turned off my virus protection just in case that was preventing it, but still no luck.

Also, before the RKill window opens up, a couple of these little DOS windows flash onto the screen for just a fraction of a second. I was able to get a screenshot:

Posted Image

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 AM

Posted 06 March 2012 - 07:47 PM

If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. [color=green]In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.



Run the aswMBR either way

The iexplore.com is a malware/ Do you see exactly that in task manager?
Press CTRL+SHIFT+ESC to open Task Manager
Note exactlly spelled like that.not iexplorer or iexplore.exe
If so End the process and try MBAM

Edited by boopme, 06 March 2012 - 07:56 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 jluebke

jluebke
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 06 March 2012 - 08:07 PM

iexplore.com is not showing up in Task Manager, and neither my renamed TDSSKiller of aswMBR will run.

Should I try to run them via a command prompt?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 AM

Posted 06 March 2012 - 08:36 PM

Use the following command to scan the PC with a detailed log written into the file report.txt (created in the TDSSKiller.exe utility folder):
Open Command Prompt in XP = click Start >> Run,type cmd
copy and paste this at the flashing cursor and hit Enter

TDSSKiller.exe -l report.txt



OR
Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 jluebke

jluebke
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 06 March 2012 - 08:51 PM

Just ran FixTDSS.exe and after the restart it indicated that an infected MBR was detected. Repair succeeded, apparently.

#13 JimsInTucson

JimsInTucson

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 06 March 2012 - 08:57 PM

same-same here as you jluebke... hopefully, your exchange will help me solve my crazy lingering re-directs. if not, maybe boopme will help me with my own log postings(?)

#14 jluebke

jluebke
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 06 March 2012 - 09:00 PM

Now aswMBR is running just fine, and my IE redirects seem to have stopped. I will run MBAM and TDSSKiller all the way through just to be on the safe side, but it looks like the rogue process isn't interfering with the cleanup any more.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 AM

Posted 06 March 2012 - 09:15 PM

Let me see aswMBR please to be sure.
Looks like we got it

BTW this is outdated and beeds to be removed in control panel.

Jim run Fixtdss and aswmbr then MBAM
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users