Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser ReDirects - Particularly from Google Results


  • This topic is locked This topic is locked
10 replies to this topic

#1 OldDosGuy

OldDosGuy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 18 March 2012 - 07:47 AM

Hello Bleeping,

It's been a while (fortunately). Last time, about a year ago, extremeboy helped me out.

Problem started March 13 or 14. Clicked on a travel website and computer hung for a little bit. I killed the search. And then got a Norton warning .. Intrusion attempt blocked….system32\ SVCHost.exe. AND…_ex-08.exe detected by SONAR and quaranteed.

Searched and Manually deleted _ex-68.exe. Also found potential suspects created at the same time: packet.dll, wpcap.dll, tmp.edb, npf.sys.

Next came the website redirects. Seems primarily from google searches. Also got the fake google security alert.

Tried system restores but not able to restore

Ran multiple scans with Norton, SAS, Malewarebytes, and Spybot. Here are some of the nasties turned up and deleted or quaranteed:

Bloodhound.MaIPE
Trojan.maljava
W3i.IQ5.fraud
Registry keys deleted from W3i and Freeze.com

Further attacks from :

Blackhole toolkit website - attacking uvalue.in, attacking or attacked from IExplorer.exe

Verded.com/hr/find.php, file=grabbers

Further scans are only finding cookies as they occur.

Appreciate your help.
_____________________________

Followed the instructions you provided but I was already running Norton Firewall and not Windows Firewall. Which should I run?
___________________

dds.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by David Osburn at 23:39:08 on 2012-03-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1864 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Security\SuperAntiSpyWare\SASCORE.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\StorageSync\StrgSync.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\DAVIDO~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Security\SuperAntiSpyWare\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.3.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.3.6\IPSBHO.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.3.6\coIEPlg.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\security\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\davido~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hp\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hp\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{60F683A0-4B8E-4745-A274-8B67448960CB} : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.3.6\CoIEPlg.dll
Notify: !SASWinLogon - c:\security\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\security\superantispyware\SASSEH.DLL
Hosts: 87.229.126.50 www.google.com
Hosts: 87.229.126.51 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-8-14 64512]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308030.006\SymEFA.sys [2011-10-31 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308030.006\BHDrvx86.sys [2011-10-31 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308030.006\cchpx86.sys [2011-10-31 467592]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20120316.005\IDSXpx86.sys [2012-3-17 356280]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-12 214664]
R1 SASDIFSV;SASDIFSV;c:\security\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\security\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\security\superantispyware\SASCore.exe [2011-8-11 116608]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-7-21 2152152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.3.6\ccSvcHst.exe [2011-10-31 117648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-3 106104]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20120317.009\NAVENG.SYS [2012-3-17 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20120317.009\NAVEX15.SYS [2012-3-17 1576312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-7-21 15232]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-12 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-12 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-12 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-12 40552]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-8-16 14336]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2012-3-14 50704]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
.
=============== Created Last 30 ================
.
2012-03-14 23:35:23 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2012-03-14 23:35:23 281104 ----a-w- c:\windows\system32\wpcap.dll
2012-03-14 23:35:23 100880 ----a-w- c:\windows\system32\Packet.dll
2012-03-12 23:55:27 -------- d-----w- c:\program files\Audible
2012-03-03 17:23:57 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-03 17:23:57 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-03-01 02:34:29 -------- d-----w- c:\documents and settings\david osburn\application data\EuroTalk
2012-03-01 02:34:24 -------- d-----w- c:\program files\EuroTalk
.
==================== Find3M ====================
.
2012-03-15 04:45:01 26112 ----a-w- c:\windows\system32\userinit.exe
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-06 18:11:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-08-23 19:45:21 25740144 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-06-03 00:52:36 2886432 ----a-w- c:\program files\PrintKey-Pro-v105.exe
2007-01-06 05:02:56 1424396 ------w- c:\program files\sbwsetup.exe
.
============= FINISH: 23:40:53.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 18 March 2012 - 12:14 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Commands
    [EmptyTemp]
    [ResetHosts]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:\_OTL\MovedFiles or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • OTM log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 18 March 2012 - 08:03 PM

Hello RPMcMurphy,

Thanks for your response. I had a little trouble with the instructions so I hope this is right. Basically I have the two log files below. OTM made me reboot but then it just fed me back a txt file. MBAM came up clean and just fed me back a log/txt file. Please let me know if you need anything different or if I did something incorrectly.

Thanks
__________________
OTM Log:

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 215594 bytes

User: All Users

User: David Osburn
->Temp folder emptied: 4906857 bytes
->Temporary Internet Files folder emptied: 32540455 bytes
->Java cache emptied: 80562029 bytes
->Flash cache emptied: 1967930 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 343 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 63377 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16931 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 66486988 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 934705864 bytes

Total Files Cleaned = 1,070.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTM by OldTimer - Version 3.1.19.0 log created on 03182012_170159

Files moved on Reboot...
C:\Documents and Settings\David Osburn\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp moved successfully.
C:\Documents and Settings\David Osburn\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp moved successfully.
C:\Documents and Settings\David Osburn\Local Settings\Temp\~DFB9BB.tmp moved successfully.
File C:\Documents and Settings\David Osburn\Local Settings\Temp\~DFBA41.tmp not found!
C:\Documents and Settings\David Osburn\Local Settings\Temp\~DFC5B8.tmp moved successfully.
File C:\Documents and Settings\David Osburn\Local Settings\Temp\~DFC5CC.tmp not found!
File C:\Documents and Settings\David Osburn\Local Settings\Temp\~DFED1.tmp not found!
C:\Documents and Settings\David Osburn\Local Settings\Temp\~WRD0000.doc moved successfully.
C:\Documents and Settings\David Osburn\Local Settings\Temporary Internet Files\OLK1AB\att97.tmp moved successfully.
C:\Documents and Settings\David Osburn\Local Settings\Temporary Internet Files\OLK1AB\att98.tmp moved successfully.
C:\Documents and Settings\David Osburn\Local Settings\Temporary Internet Files\Content.IE5\YB1DPXP6\page__pid__2635470[1].htm moved successfully.
File C:\WINDOWS\temp\JETBCA4.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_4b4.dat not found!

Registry entries deleted on Reboot…

__________________________________________

MBAM Log

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.18.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
David Osburn :: D1MGD1C1 [administrator]

3/18/2012 5:57:18 PM
mbam-log-2012-03-18 (17-57-18).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 343721
Time elapsed: 1 hour(s), 58 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

______________________________

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 18 March 2012 - 08:18 PM

That was exactly what I was looking for. How is it running now - are you still being redirected? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 31
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u31-windows-i586.exe to install the newest version.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 19 March 2012 - 11:51 AM

RPMcMurphy,
>
> I confess to not updating Java. But....everytime I have tried to run an
> update my own system has denied me permission to do so. Not sure if it was the application or a registry lock. It's been a while.

Installed new Java and ran ESET. Scan came back with no detections. Only had a minute to test Google, but so far no redirections.

Next?

Thanks

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 19 March 2012 - 01:09 PM

That should do it! All I have left for you is another update and some very important cleanup:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Cleanup with OTM
  • Double-click OTM.exe to start the program.
  • Close all other programs apart from OTM as this step will require a reboot
  • On the OTM main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
  • Manually delete any remaining tools or logs from our work
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 19 March 2012 - 09:33 PM

RPMcMurphy,

Just a few remaining issues and questions.

1. Same problem with Adobe that I think I was having with Java. Try to install updates and get the following message:

Error 1402. Could not open key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsft\Windows\CurrentVersion|Run\OptionalComponents\MSFS. Verify that you have sufficient access to that key, or contact your support personnel.

I tried to uninstall and reinstall and got the same message. Finally got it to go after uninstalls-reboot-reinstalls. Don't recall ever having this issue until about the last year or so. Think I need to log in as an administrator or do I need to change my registry permisssions?

2. OTM Clean-up. - Followed instructions and it looks like OTM, DDS, ESET, GMER and Defogger were removed? Does this sound right?

3. Tool deletion..... I came to the party with MBAM, Spybot, SAS, Norton Security Suite (actively running), Ad-Aware Ad-Watch (actively running), CCleaner, Combofix, TDSS Killer, and HijackThis.

I plan to keep Norton, MBAM, Ad-Aware, and Spybot. Should all the rest go?

5. We turned off CD Emulation. What do I need to do?

6. I re-enabled Norton and adware to actively run.

7. Norton Firewall -or- Windows Firewall?

8. Recommedations? I read your Tech Support forum on PC Safety and Security. Great article. I really do practice safe surfing and keep everything up to date except those few patches where I have been having trouble with registry permissions. But every year I get hit at least once. Are there any products or settings that will stop registry changes and dll downloads without permissions? Any good registry cleaners? Or....is this just life on the internet? Also, can you advise or point me toward info about cleaning up my start-up programs and stopping unnecessary processes from running?

Thanks,
OldDosGuy

p.s. for RPMcMurphy.....Nurse Ratched called and said it's time for your medication.

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 20 March 2012 - 01:29 PM

1. Same problem with Adobe that I think I was having with Java.....

You normally need to be logged in as an administrator or power user to install software

2. OTM Clean-up. - Followed instructions and it looks like OTM, DDS, ESET, GMER and Defogger were removed? Does this sound right?

Yes, that is expected/desired behavior.

3. Tool deletion.....

I'd get rid of ad-aware also as it now has an anti-virus component and running more than one AV is never a good idea. Norton, MBAM and Spybot S&D should be sufficient for you.

5. We turned off CD Emulation. What do I need to do?

Sorry, I forgot about that. You need to do this:

Posted Image Please download DeFogger to your desktop.

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.
Your Emulation drivers are now re-enabled. You may delete DeFogger again.

6. I re-enabled Norton and adware to actively run.

See # 3

7. Norton Firewall -or- Windows Firewall?

I'd recommend using Norton's, especially with Windows XP as that firewall has no outgoing protection.

8. Recommedations?....

Largely it's life on the internet - the security apps you have should help you avoid most trouble. We don't recommend registry cleaners as if not used carefully can cause far more trouble than they allege to solve. Try using StartUpLight to disable or remove unnecessary startup entries from your computer.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 20 March 2012 - 08:20 PM

Done.

Thanks

Bromden

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 20 March 2012 - 09:30 PM

You're welcome, Bromden. Take care!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 21 March 2012 - 10:40 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users