Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google search redirect


  • This topic is locked This topic is locked
53 replies to this topic

#1 fincomputer

fincomputer

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 23 May 2012 - 12:50 PM

hello... thanks so much for this forum... I think there would be a lot of dead computers out there without this forum..


Symptoms are: can't do a google search without being redirected and computer is slow..


GMER file is too big to attach... just let me know what you want done with it.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 16:26:21 on 2012-05-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.380 [GMT -5:00]
.
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.9.24.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Gaevko] "c:\documents and settings\administrator\application data\anid\yrohc.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
mRun: [SDAlert] "c:\program files\pc tools security\Alert.exe" /PRODUCT=SD /R
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - {E7A829CC-671F-4C3D-B590-8C0AEA72E6B2} - c:\program files\bitcomet\tools\BitCometBHO_1.1.9.24.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{14461677-8C19-4378-AC15-326CDF688F5B} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D47CECAB-28D1-4F1F-BAD6-ACADE845E5CD} : DhcpNameServer = 192.168.1.254 64.59.176.13 64.59.176.15
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-5-16 263888]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-5-16 338880]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-5-16 233976]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2012-5-16 337872]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2012-5-16 371472]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2012-5-16 1117144]
S2 CARMANSCAN_II;CARMANSCAN_II.Sys PDIUSBD12 Bulk IO test driver;c:\windows\system32\drivers\CARMANSCAN_II.sys [2010-12-11 16908]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2010-12-30 47176]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2010-12-30 58112]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [2007-7-18 3584]
.
=============== Created Last 30 ================
.
2012-05-18 15:11:19 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Threat Expert
2012-05-16 22:20:47 767952 ----a-w- c:\windows\BDTSupport.dll
2012-05-16 22:20:47 2029520 ----a-w- c:\windows\PCTBDCore.dll
2012-05-16 22:20:47 149456 ----a-w- c:\windows\SGDetectionTool.dll
2012-05-16 22:20:46 1533904 ----a-w- c:\windows\PCTBDRes.dll
2012-05-16 22:18:46 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-05-16 22:18:46 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-05-16 22:18:45 253096 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-05-16 22:18:40 263888 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-05-16 22:18:40 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-05-16 22:18:36 233976 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-05-16 22:18:30 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-05-16 22:18:06 -------- d-----w- c:\program files\PC Tools Security
2012-05-16 22:18:06 -------- d-----w- c:\program files\common files\PC Tools
2012-05-16 22:18:06 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-05-16 17:41:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 17:41:23 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-16 17:21:15 -------- d-----w- c:\documents and settings\administrator\application data\Laop
2012-05-16 17:21:15 -------- d-----w- c:\documents and settings\administrator\application data\Eppuam
2012-05-16 17:21:15 -------- d-----w- c:\documents and settings\administrator\application data\Anid
2012-05-15 17:59:10 135168 --sha-r- c:\windows\system32\localel.dll
.
==================== Find3M ====================
.
.
============= FINISH: 16:31:35.88 ===============

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:03 PM

Posted 23 May 2012 - 02:17 PM

Hello fincomputer ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\localel.dll

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/



Regards,
Georgi

Edited by B-boy/StyLe/, 23 May 2012 - 02:22 PM.

cXfZ4wS.png


#3 fincomputer

fincomputer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 23 May 2012 - 04:50 PM

the two scan url's redirected me to google ... I booted up in safe mode and was able to get the url's to come up.. but when browsing for the localel.dll file you wanted, it wasn't there.. the files in the system32 folder with similar names are:

localsec.dll
localspl.dll
localui.dll


what's next sir?

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:03 PM

Posted 23 May 2012 - 06:00 PM

Hi,



Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi

cXfZ4wS.png


#5 fincomputer

fincomputer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 24 May 2012 - 11:47 AM

the combofix hung up on an infected calc.exe file for about 10 minutes.. I've attached the log..

Attached Files

  • Attached File  log.txt   9.5KB   3 downloads


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:03 PM

Posted 24 May 2012 - 12:02 PM

Hi fincomputer,





We need to execute a CFScript to clean some remnants.


Please do this:


1. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

2. Copy/paste the text in the codebox below into it: (include the link as well).

http://www.bleepingcomputer.com/forums/topic454638.html


Collect::
c:\windows\system32\localel.dll
File::
c:\windows\Tasks\gpqxlbzbw.job
DirLook::
c:\documents and settings\Administrator\Application Data\Anid
c:\documents and settings\Administrator\Application Data\Laop
c:\documents and settings\Administrator\Application Data\Eppuam
SRPeek::
c:\windows\system32\calc.exe
MIA::
c:\windows\system32\calc.exe
RegLock::
[HKEY_USERS\S-1-5-21-1202660629-839522115-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
Registry::
[HKEY_USERS\S-1-5-21-1202660629-839522115-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=-
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Save this as CFScript.txt, in the same location as ComboFix.exe

3. Close any open browsers.

4. Referring to the picture below, drag CFScript into ComboFix.exe

Posted Image

5. When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Successful".

**NOTE**
  • IF for some reason Combofix fails to upload anything you will see that message:
    Posted Image
  • Please double-click this file: C:\CF-Submit.htm and follow the instructions there to upload that zipped file.


6. When Combifix finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Can you please go to C:\qoobox and right click the quarantine folder, select send to compressed(zip) folders that will make a zipped copy of the quarantine folder.
Then please upload that to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so we can examine the files and submit to antivirus companies if needed.



Regards,
Georgi

Edited by B-boy/StyLe/, 24 May 2012 - 12:03 PM.

cXfZ4wS.png


#7 fincomputer

fincomputer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 24 May 2012 - 02:10 PM

as per your instructions...

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:03 PM

Posted 24 May 2012 - 03:36 PM

Hi,


  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\Application Data\*.*
    %USERPROFILE%\Local Settings\Application Data\*.*
    %AllUsersProfile%\*.*
    %AllUsersProfile%\Application Data\*.*
    %USERPROFILE%\My Documents\*.*
    %CommonProgramFiles%\*.*
    %PROGRAMFILES%\*.*
    %systemroot%\system32\config\systemprofile\*.*
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.*
    %windir%\temp*.*
    %windir%\system32\*.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC_32\*.* /S /MD5
    %systemroot%\assembly\GAC_MSIL\*.* /S /MD5
    /md5start
    calc.exe
    smss.exe
    winlogon.exe
    services.exe
    lsass.exe
    svchost.exe
    explorer.exe
    netbt.sys
    ipsec.sys
    hlp.dat
    /md5stop
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Regards,
Georgi

cXfZ4wS.png


#9 fincomputer

fincomputer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 24 May 2012 - 04:47 PM

things are starting speeding up... nice :)

logs are attached

Attached Files



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:03 PM

Posted 24 May 2012 - 05:01 PM

Hi


It seems that you don't have a clean copy of this file that we can use for replacement:


< MD5 for: CALC.EXE >
[2002/12/31 07:00:00 | 000,946,448 | ---- | M] (Microsoft Corporation) MD5=006728285A531498449FCB9B4AC8814E -- C:\WINDOWS\system32\calc.exe

Do you have access to another win xp computer to copy this file or do you have any friends with XP?

You have an infected file on the computer that windows needs in order to run - we have to replace this file because we can't just delete it.

We need to find a way to copy a good file from a clean computer and move it to the infected computer.



Let me know.



Regards,
Georgi

cXfZ4wS.png


#11 fincomputer

fincomputer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 25 May 2012 - 10:16 AM

ok.. got one on a usb drive.. do you have a prefered method to replace the infected one?

#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:03 PM

Posted 25 May 2012 - 04:42 PM

Hi,


Please copy calc.exe to C:\ (C:\calc.exe).

Next:

1. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

2. Copy/paste the text in the codebox below into it:

ClearJavaCache::
FCopy::
C:\calc.exe | C:\WINDOWS\system32\calc.exe

3. Save this as CFScript.txt to your flash drive and then transfer it to the infected PC. Save it in the same place as ComboFix.exe.

4. Close any open browsers.

5. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

6. Referring to the picture below, drag CFScript into ComboFix.exe

Posted Image


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



I'll reply back no later than Monday.



Regards,
Georgi

cXfZ4wS.png


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:03 PM

Posted 29 May 2012 - 05:54 AM

Hi fincomputer,


It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.



Regards,
Georgi

cXfZ4wS.png


#14 fincomputer

fincomputer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 30 May 2012 - 01:17 PM

sorry.. haven't been at work for a few days..


latest log is attached

Attached Files

  • Attached File  log.txt   8.63KB   3 downloads


#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:03 PM

Posted 30 May 2012 - 05:34 PM

Hi,


Not a problem. :)
The log is clean.



Let's do a few more checks just to make sure:



STEP 1



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Posted Image

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.





STEP 2



Please download aswMBR.exe to your desktop.



  • Double click the aswMBR.exe icon to run it.
  • The program will offers to download the latest antivirus definitions from Avast servers. Click YES to agree.
  • When it's done in the AV Scan drop down options choose C:\
    Posted Image
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Note - do NOT attempt any Fix or FixMBR yet.





STEP 3



Run Scan with Malwarebytes


  • Please download and install Malwarebytes' Anti-Malware.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.





STEP 4



I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image




STEP 5



Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Regards,
Georgi

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users