Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

allsafelist redirect google chrome


  • This topic is locked This topic is locked
71 replies to this topic

#1 EllieM

EllieM

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 15 August 2012 - 08:55 AM

I have run malwarebytes, superantispyware, trendmicro, and microsoft security essentials, but I am still getting redirected in google chrome to allsafelist.com. Internet explorer is acting almost normal. The only thing I notice is that sometimes my back button does not work in internet explorer. Please help.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 7:18:24 on 2012-08-15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.818 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\java.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Program Files\a la mode\sched\eSched.exe
C:\Program Files\Windows Mail\WinMail.exe
c:\a la mode\wintotal\winform.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\a la mode\WinTOTAL\AppDeskShell.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
C:\Program Files\Google\Google Earth\client\googleearth.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Streets & Trips\Streets.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
mStart Page = about:blank
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [The Assistant] c:\program files\a la mode\sched\eSched.exe /checkuac
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: mswsock.dll
Trusted Zone: hud.gov\www
Trusted Zone: maar.org\www
Trusted Zone: maardata.org
Trusted Zone: mlxchange.com\maar
DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/FileCruiser.cab
DPF: {16FD824B-8E7B-11D2-9855-00802962956C} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/Specfile.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/MLSClientUtils.cab
DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/LiteGrid.cab
DPF: {7A7537FC-5988-11D3-8B33-00104B9E5A4A} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/IRCWebPrint.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/WebDog.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/AspCustomCtrls.cab
TCP: DhcpNameServer = 10.0.0.2
TCP: Interfaces\{E27FE651-4826-42E0-BFFF-C5A3C66D3F16} : NameServer = 8.8.8.8
TCP: Interfaces\{E27FE651-4826-42E0-BFFF-C5A3C66D3F16} : DhcpNameServer = 10.0.0.2
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 171064]
R1 MpKsl43c961a9;MpKsl43c961a9;c:\programdata\microsoft\microsoft antimalware\definition updates\{84a6aeb5-d9ac-4625-b951-16cf090500b0}\MpKsl43c961a9.sys [2012-8-15 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 MSSQL$ALAMODE;SQL Server (ALAMODE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-8-5 207360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-27 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-27 136176]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2008-5-22 20640]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
JSEFile=c:\windows\system32\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
VBEFile=c:\windows\system32\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
VBSFile=c:\windows\system32\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.
=============== Created Last 30 ================
.
2012-08-15 11:56:34 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{84a6aeb5-d9ac-4625-b951-16cf090500b0}\MpKsl43c961a9.sys
2012-08-15 01:20:48 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{84a6aeb5-d9ac-4625-b951-16cf090500b0}\mpengine.dll
2012-08-13 23:40:05 6891424 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-12 19:39:13 -------- d-----w- c:\users\owner\appdata\local\Adobe
2012-07-29 10:58:00 -------- d-----w- c:\program files\DailyBibleGuideEI
2012-07-23 16:51:25 -------- d-----w- C:\7134 hwy 59 W Morton Bldg
.
==================== Find3M ====================
.
2012-08-15 01:20:26 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 01:20:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-14 21:56:59 23580 ----a-w- C:\stream.bin
2012-07-18 18:39:06 3766128 ----a-w- c:\windows\system32\filecabinet5.dll
2012-07-17 14:18:12 739184 ----a-w- c:\windows\system32\aconvert.dll
2012-07-09 18:17:27 103272 ----a-w- c:\users\owner\GoToAssistDownloadHelper.exe
2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-22 14:07:16 1136496 ----a-w- c:\windows\system32\temp.001
2012-06-22 14:07:16 1136496 ----a-w- c:\windows\system32\auroraupgrade.dll
2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 7:20:16.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 AM

Posted 20 August 2012 - 09:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/465298 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 EllieM

EllieM
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 22 August 2012 - 09:18 AM

I am still having the same problem. I have attached a new DDS and GMER log.

Attached Files

  • Attached File  DDS.txt   11.13KB   1 downloads
  • Attached File  ARK.txt   8.93KB   1 downloads


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 AM

Posted 22 August 2012 - 11:41 AM

Greetings EllieM and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. :thumbup2:


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 AM

Posted 22 August 2012 - 12:10 PM

Greetings EllieM,

I would like to take a look at the Malwarebytes log from your previous run and also have you run another program for me.

Please perfrom the following.


===================================================


Posting Previous Malwarebytes Log

--------------------

  • Launch Malwarebytes
  • Select the Logs tab
  • Highlight the last scan entry, select Open, and a Notepad document will open on your desktop
  • Copy and paste the contents of the document in your reply

===================================================


Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

    Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

    • Check your computer clock. If it is still running then so is ComboFix
    • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
    • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
    Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Malwarebytes log
  • Combofix.txt
  • How is your computer running? Still have redirects?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 EllieM

EllieM
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 23 August 2012 - 04:26 AM

Thank you. This is the last malwarebytes log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.11.02

Windows Vista Service Pack 2 x86 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

8/12/2012 2:39:41 PM
mbam-log-2012-08-12 (14-39-41).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 495605
Time elapsed: 2 hour(s), 42 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#7 EllieM

EllieM
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 23 August 2012 - 05:30 AM

Here is the Combofix log:

ComboFix 12-08-22.03 - Owner 08/23/2012 5:13.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1818 [GMT -5:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files\DailyBibleGuideEI
c:\program files\DailyBibleGuideEI\Installr\1.bin\2vEIPlug.dll
c:\program files\DailyBibleGuideEI\Installr\1.bin\2vEZSETP.dll
c:\program files\DailyBibleGuideEI\Installr\1.bin\NP2vEISb.dll
c:\users\Owner\AppData\Local\FEMA
c:\users\Owner\AppData\Local\FEMA\fmit.cfg
c:\users\Owner\GoToAssistDownloadHelper.exe
c:\windows\TEMP\ppcrlui_1560_2
.
.
((((((((((((((((((((((((( Files Created from 2012-07-23 to 2012-08-23 )))))))))))))))))))))))))))))))
.
.
2012-08-23 10:22 . 2012-08-23 10:22 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-08-23 10:22 . 2012-08-23 10:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-23 10:22 . 2012-08-23 10:22 -------- d-----w- c:\users\Eli\AppData\Local\temp
2012-08-23 09:20 . 2012-08-01 22:51 7023536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5277F079-7A32-41B5-8FEF-B5D13CCA4B99}\mpengine.dll
2012-08-22 11:29 . 2012-08-01 22:51 7023536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-16 08:01 . 2012-07-04 14:02 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 19:06 . 2012-05-11 15:57 623616 ----a-w- c:\windows\system32\localspl.dll
2012-08-12 19:39 . 2012-08-14 08:33 -------- d-----w- c:\users\Owner\AppData\Local\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 01:20 . 2012-04-05 21:40 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 01:20 . 2012-01-28 10:47 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-18 18:39 . 2012-01-26 03:42 3766128 ----a-w- c:\windows\system32\filecabinet5.dll
2012-07-17 14:18 . 2012-01-26 03:42 739184 ----a-w- c:\windows\system32\aconvert.dll
2012-07-03 18:46 . 2012-06-16 12:13 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-22 14:07 . 2012-06-22 14:07 1136496 ----a-w- c:\windows\system32\temp.001
2012-06-22 14:07 . 2012-01-26 03:42 1136496 ----a-w- c:\windows\system32\auroraupgrade.dll
2012-06-18 14:47 . 2012-07-04 01:21 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C7413546-5017-4FFC-A315-F970DFB3AF59}\gapaengine.dll
2012-06-18 14:47 . 2012-02-11 00:22 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-06-05 16:47 . 2012-07-11 10:11 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47 . 2012-07-11 10:11 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26 . 2012-07-11 10:10 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-08 23:36 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-08 23:36 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-08 23:36 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-08 23:36 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-08 23:36 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-08 23:36 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-08 23:36 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-08 23:35 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12 . 2012-06-08 23:35 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 00:04 . 2012-07-11 10:10 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03 . 2012-07-11 10:10 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"The Assistant"="c:\program files\a la mode\Sched\eSched.exe" [2007-04-16 99840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PictureMover.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PictureMover.lnk
backup=c:\windows\pss\PictureMover.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 04:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 01:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-02-01 10:55 136176 ----atw- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-06-02 22:14 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2008-07-03 19:44 972080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
2005-08-25 00:25 101080 ----a-w- c:\program files\Microsoft Location Finder\LocationFinder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-12-13 00:06 642856 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-22 14:49 92704 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 16:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-24 01:33 4777856 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 01:20]
.
2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-27 14:30]
.
2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-27 14:30]
.
2012-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198152204-3638093581-3411781446-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-01 10:55]
.
2012-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198152204-3638093581-3411781446-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-01 10:55]
.
2012-08-22 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-05 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
mStart Page = about:blank
Trusted Zone: hud.gov\www
Trusted Zone: maar.org\www
Trusted Zone: maardata.org
Trusted Zone: mlxchange.com\maar
TCP: DhcpNameServer = 10.0.0.2
TCP: Interfaces\{E27FE651-4826-42E0-BFFF-C5A3C66D3F16}: NameServer = 8.8.8.8
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/MLSClientUtils.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://maar.mlxchange.com/5.5.13.26155/Control/IRCSharc.cab
.
.
------- File Associations -------
.
JSEFile=c:\windows\system32\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
MSConfigStartUp-InstallIQUpdater - c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-23 05:23
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-23 05:27:04
ComboFix-quarantined-files.txt 2012-08-23 10:26
.
Pre-Run: 74,207,285,248 bytes free
Post-Run: 74,739,036,160 bytes free
.
- - End Of File - - 1862D0DE3F54E7E1D1CD325DF7BF940B

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 AM

Posted 23 August 2012 - 09:29 AM

Greetings EllieM,

Thank you for that information. Can you tell me if there is any change in your computer's behavior?

I would like to check the validity of a file on your computer. Please perform the following for me, if you would.


===================================================


Virustotal Online Virus Scanner

--------------------

  • Please go to Virustotal
  • Select Choose File
  • Navigate to the following file, double click on it so the file name is populated, then click Scan it!

    c:\windows\system32\aconvert.dll
  • Once completed, highlight the information in the address bar and copy then paste the link in your reply


    Posted Image

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • VirusTotal link
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 EllieM

EllieM
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 23 August 2012 - 09:59 AM

Google is still redirecting.







Community
Statistics
Documentation
FAQ
About
Join our community
Sign in













SHA256:

23d2c6ec349a92aea0da9e3ce7ed356720706b04e19cc237fe6dd9fc848bb6ed





















File name:

aconvert.dll









Detection ratio:

0 / 41



Analysis date:

2012-08-23 14:55:14 UTC ( 1 minute ago )







0



0


More details





Antivirus

Result

Update




AhnLab-V3

-

20120823



AntiVir

-

20120823



Antiy-AVL

-

20120822



Avast

-

20120823



AVG

-

20120823



BitDefender

-

20120823



ByteHero

-

20120817



CAT-QuickHeal

-

20120823



ClamAV

-

20120823



Commtouch

-

20120823



Comodo

-

20120823



DrWeb

-

20120823



Emsisoft

-

20120823



eSafe

-

20120823



ESET-NOD32

-

20120822



F-Prot

-

20120823



F-Secure

-

20120823



Fortinet

-

20120823



GData

-

20120823



Ikarus

-

20120818



Jiangmin

-

20120823



K7AntiVirus

-

20120822



Kaspersky

-

20120823



McAfee

-

20120823



Microsoft

-

20120823



Norman

-

20120823



nProtect

-

20120823



Panda

-

20120823



PCTools

-

20120823



Rising

-

20120823



Sophos

-

20120823



SUPERAntiSpyware

-

20120823



Symantec

-

20120823



TheHacker

-

20120822



TotalDefense

-

20120823



TrendMicro

-

20120823



TrendMicro-HouseCall

-

20120823



VBA32

-

20120823



VIPRE

-

20120823



ViRobot

-

20120823



VirusBuster

-

20120823

Comments
Votes
Additional information



No comments



















































You have not signed in. Only registered users can leave comments, sign in and have a voice!

Sign in Join the community

















Blog | Twitter | contact@virustotal.com | Google groups | ToS | Privacy policy

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 AM

Posted 23 August 2012 - 10:08 AM

Greetings EllieM,

Thank you for the information. Can you tell me if you are getting redirects with Internet Explorer? It does not appear that you have Firefox installed, correct?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 EllieM

EllieM
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 23 August 2012 - 10:24 AM

Internet explorer is not redirecting and I do not have firefox installed.

#12 EllieM

EllieM
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 23 August 2012 - 11:03 AM

Hi Gary,

Internet explorer may be running slower than it should. I am not sure. It seems like it gets hung up more than it should.

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 AM

Posted 23 August 2012 - 12:29 PM

Greetings EllieM,

Can you tell me which browser you typically use?

In one of the logs you posted previously there is evidence of a malicious program you need to be aware of. That infection is no longer present but I would still like to advise you of the following.

Please consider and perform the below.


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Disabling Plug-ins in Google Chrome

--------------------

  • Click the wrench icon Posted Image on the browser toolbar
  • Select Settings
  • Click the Under the Hood tab.
  • In the Privacy section click Content Settings
  • In the Plug-ins section, select Block all
  • Check to see if the redirects are gone

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • Are you still experiencing redirects with the Plug-ins disabled?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 EllieM

EllieM
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 23 August 2012 - 12:55 PM

Gary,

It is still redirecting after the plubins have been disabled. I don't do any banking on this computer. I reinstalled the operating system on this computer in January. I really don't want to do that again.

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 AM

Posted 23 August 2012 - 01:09 PM

Greetings EllieM,

No problem not wanting to reformat and reinstall, I just needed to make sure you were aware of the information.

OK, let's do this.


===================================================


Run TDSSKiller by Kaspersky on Vista/7

--------------------

  • Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
  • If you desire you may print out and follow the instructions for performing a scan.
  • Right-click on TDSSKiller.exe and select Run As Administrator.
  • When the program opens, click the Start Scan button.


    Posted Image

  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.


    Posted Image

  • Click Continue > Reboot now to finish the cleaning process.<- Important!!


    Posted Image

  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. Please submit these results with your next reply


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.


    Posted Image
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.


    Posted Image
  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users