TechSpot

Another Google redirect

By dearpheona
May 20, 2010
  1. Since yesterday this has been happening. When I do a search and click on links, half the time I will get redirected to different junk sites.

    Tried running Hitman and it found "partmgr.sys" but wasn't able to delete/fix it.

    I've followed the steps posted and attached the logs from the programs.

    Thanks in advance for any advice or help.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, dearpheona. I will help with the malware.

    While I finish checking your logs, please do the following:
    First, uninstall Hitman. This is nothing but a bundle of programs that are free on the internet. Most are being used without the permission of their authors. This program can cause a problem with the scans.
    =========================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
       iastor.*
      [/code]
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ===================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ==========================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I will be setting up some script for you to run based on the logs you left here. Please include the SystemLook log, the Combofix report and Eset scan logs in your next report.

    Please do not use any other cleaning program or run scans while I am helping you, unless I instruct you to. do not use a Registry cleaner or make any changes in the Registry.

    I notice you are using both LimeWire and Vuze. These are both file sharing programs and I recommend that you uninstall both. If you choose not to uninstall them, please do not use either while I am helping clean your system.
     
  3. dearpheona

    dearpheona TS Rookie Topic Starter

    Thanks Bobbye! Still running the scans. I'll paste them in a reply once they're finished up.

    I also noticed this morning that whatever it is that's in my system has decided to kill my ability to install Microsoft updates.

    Again, thanks so much for help with this.
     
  4. dearpheona

    dearpheona TS Rookie Topic Starter

    I uninstalled Hitman and the scans have finished. Here are the logs:

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 17:23 on 20/05/2010 by Mae (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for " iastor.*"
    No files found.

    -=End Of File=-









    ComboFix 10-05-20.02 - Mae 05/20/2010 12:38:27.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1713 [GMT -7:00]
    Running from: c:\users\Mae\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\%appdata%

    Infected copy of c:\windows\system32\drivers\partmgr.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
    .

    2010-05-20 19:52 . 2010-05-20 19:56 -------- d-----w- c:\users\Mae\AppData\Local\temp
    2010-05-20 19:52 . 2010-05-20 19:52 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2010-05-20 19:52 . 2010-05-20 19:52 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2010-05-20 03:44 . 2010-05-20 03:44 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2010-05-20 01:41 . 2010-05-20 04:25 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-05-20 01:40 . 2010-05-20 01:40 -------- d-----w- c:\programdata\Hitman Pro
    2010-05-20 01:40 . 2010-05-20 01:40 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-05-15 02:52 . 2010-05-15 02:52 -------- d-----w- c:\users\Mae\AppData\Roaming\HPAppData
    2010-05-15 02:37 . 2010-05-15 02:37 -------- d-----w- c:\program files\Common Files\Software Update Utility
    2010-05-14 18:02 . 2010-05-14 18:07 23110 ----a-w- c:\windows\hpqins15.dat
    2010-05-14 17:58 . 2010-05-14 18:13 -------- d-----w- c:\users\Mae\AppData\Roaming\HpUpdate
    2010-05-14 17:58 . 2010-05-14 17:58 -------- d-----w- c:\windows\Hewlett-Packard
    2010-05-11 23:07 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2010-05-07 17:24 . 2010-05-07 17:24 -------- d-----w- c:\programdata\WEBREG
    2010-05-07 17:24 . 2010-05-07 17:24 -------- d-----w- c:\users\Mae\AppData\Roaming\HP
    2010-05-07 17:24 . 2010-05-07 17:24 -------- d-----w- c:\users\Mae\AppData\Local\HP
    2010-05-07 17:20 . 2009-06-09 08:43 316928 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp092.dll
    2010-05-07 17:15 . 2010-05-07 17:15 -------- d-----w- c:\programdata\HP Product Assistant
    2010-05-07 17:13 . 2010-05-07 17:13 -------- d-----w- c:\program files\Common Files\HP
    2010-05-07 17:13 . 2010-05-07 17:13 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2010-05-07 17:12 . 2010-05-07 17:12 -------- d-----w- c:\windows\hpoj4500g510n-z
    2010-05-07 17:11 . 2009-05-26 17:32 716288 ----a-w- c:\windows\system32\hpwwiax9.dll
    2010-05-07 17:11 . 2009-05-26 17:32 593920 ----a-w- c:\windows\system32\hpwtscl5.dll
    2010-05-07 17:11 . 2009-05-18 21:49 372736 ----a-w- c:\windows\system32\hppldcoi.dll
    2010-05-07 17:11 . 2009-05-26 17:32 315392 ----a-w- c:\windows\system32\hpwvst01.dll
    2010-05-07 17:11 . 2009-05-21 13:14 452408 ----a-w- c:\windows\system32\hpzids01.dll
    2010-05-07 17:11 . 2009-06-09 08:43 122880 ----a-w- c:\windows\system32\hpf3l092.dll
    2010-05-07 17:10 . 2010-05-14 18:13 -------- d-----w- c:\program files\HP
    2010-05-07 17:07 . 2010-05-07 17:24 207226 ----a-w- c:\windows\hpwins28.dat
    2010-05-07 17:07 . 2010-05-07 17:24 -------- d-----w- c:\programdata\HP
    2010-05-05 23:17 . 2010-05-05 23:17 -------- d-----w- c:\program files\Microsoft.NET
    2010-05-05 23:15 . 2010-05-05 23:15 -------- d-----r- C:\MSOCache
    2010-05-05 23:09 . 2010-05-05 23:09 -------- d-----w- c:\users\Mae\AppData\Local\Seven Zip
    2010-05-05 22:32 . 2010-05-05 22:47 -------- d-----w- c:\users\Mae\AppData\Roaming\GetRightToGo
    2010-04-29 20:04 . 2007-08-20 21:08 172032 ----a-w- c:\windows\system32\igfxres.dll
    2010-04-25 01:09 . 2010-04-25 13:23 -------- d-----w- C:\Temp
    2010-04-25 00:55 . 2010-04-25 00:55 -------- d-----w- c:\programdata\NexonUS
    2010-04-25 00:36 . 2010-05-20 19:56 -------- d-----w- c:\users\Mae\AppData\Local\PMB Files
    2010-04-25 00:36 . 2010-04-25 00:36 -------- d-----w- c:\programdata\PMB Files

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-20 19:54 . 2009-07-13 19:19 -------- d-----w- c:\users\Mae\AppData\Roaming\WTablet
    2010-05-20 19:52 . 2010-02-01 05:37 12 ----a-w- c:\windows\bthservsdp.dat
    2010-05-20 19:09 . 2008-09-17 02:30 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
    2010-05-20 04:10 . 2010-04-11 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-19 05:56 . 2008-09-18 05:31 -------- d-----w- c:\users\Mae\AppData\Roaming\LimeWire
    2010-05-12 10:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-05-12 10:01 . 2008-09-16 23:38 -------- d-----w- c:\programdata\Microsoft Help
    2010-05-08 04:01 . 2008-09-17 00:48 91592 ----a-w- c:\users\Mae\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-07 10:03 . 2008-09-16 23:39 -------- d-----w- c:\program files\Microsoft Works
    2010-05-05 23:22 . 2008-09-29 01:30 592 ----a-w- c:\users\Mae\AppData\Roaming\wklnhst.dat
    2010-05-04 15:35 . 2008-10-10 01:18 -------- d-----w- c:\users\Mae\AppData\Roaming\Azureus
    2010-05-04 06:53 . 2008-09-17 01:22 -------- d-----w- c:\program files\Vuze
    2010-05-04 06:43 . 2008-09-17 03:53 -------- d-----w- c:\program files\Semagic
    2010-04-29 22:39 . 2010-04-11 17:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 22:39 . 2010-04-11 17:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-28 19:23 . 2009-10-15 00:54 -------- d-----w- c:\program files\AIM
    2010-04-15 04:45 . 2008-09-17 01:21 -------- d-----w- c:\program files\LimeWire
    2010-04-15 01:50 . 2008-09-16 23:40 -------- d-----w- c:\program files\Common Files\Java
    2010-04-15 01:50 . 2008-09-16 23:40 -------- d-----w- c:\program files\Java
    2010-04-15 01:33 . 2010-04-15 01:32 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-04-15 01:33 . 2009-06-05 01:23 -------- d-----w- c:\program files\iTunes
    2010-04-15 01:32 . 2010-04-15 01:32 -------- d-----w- c:\program files\iPod
    2010-04-15 01:32 . 2008-09-17 01:25 -------- d-----w- c:\program files\Common Files\Apple
    2010-04-15 01:30 . 2010-04-15 01:29 -------- d-----w- c:\program files\QuickTime
    2010-04-15 01:25 . 2008-09-17 03:35 -------- d-----w- c:\program files\Bonjour
    2010-04-13 00:29 . 2010-04-15 01:50 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-11 17:52 . 2010-04-11 17:52 -------- d-----w- c:\users\Mae\AppData\Roaming\Malwarebytes
    2010-04-11 17:51 . 2010-04-11 17:51 -------- d-----w- c:\programdata\Malwarebytes
    2010-04-11 05:43 . 2008-09-16 23:37 -------- d-----w- c:\program files\Common Files\Adobe
    2010-03-05 14:01 . 2010-04-15 01:55 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-23 11:10 . 2010-04-15 01:55 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-02-23 11:10 . 2010-04-15 01:55 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-02-23 11:10 . 2010-04-15 01:55 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-23 06:39 . 2010-03-30 23:22 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 06:33 . 2010-03-30 23:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-02-23 06:33 . 2010-03-30 23:22 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-02-23 04:55 . 2010-03-30 23:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-20 23:06 . 2010-03-11 11:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:05 . 2010-03-11 11:00 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 20:53 . 2010-03-11 11:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-25 2938552]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
    "OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-06 65256]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
    "SigmatelSysTrayApp"="sttray.exe" [2007-07-27 405504]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-04 40072]

    c:\users\Mae\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-10-7 576000]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):ab,85,be,06,86,e0,c9,01

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4229386456-4079888766-2179590344-1000]
    "EnableNotificationsRef"=dword:00000004

    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-10-24 717296]
    S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-06 26120]
    S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    bthsvcs REG_MULTI_SZ BthServ
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-6822
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-6822
    uInternet Settings,ProxyOverride = *.local
    IE: Copy to Semagic - c:\program files\Semagic\copy.htm
    IE: Semagic - c:\program files\Semagic\link.htm
    Trusted Zone: adobe.com\get
    FF - ProfilePath - c:\users\Mae\AppData\Roaming\Mozilla\Firefox\Profiles\ee5mtgr4.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/shegotthatlala?ref=profile|http://twitter.com/|http://www.tumblr.com/dashboard
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\users\Mae\AppData\Roaming\Mozilla\Firefox\Profiles\ee5mtgr4.default\extensions\runtime@panda3d.org\platform\WINNT_x86-msvc\plugins\nppanda3d.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Final Fantasy VII - c:\program files\Final Fantasy VII\Uninst.isu
    AddRemove-FINAL FANTASY VIII - c:\program files\Square Soft
    AddRemove-_{0C180787-F8C8-42FD-A9D3-689BA44BEAAF} - c:\program files\Corel\Corel Painter Essentials 3\MSILauncher {0C180787-F8C8-42FD-A9D3-689BA44BEAAF}
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\Mae\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-20 12:54
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\TEMP\TMP000000076A3690E30234D143 524288 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-4229386456-4079888766-2179590344-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:64,c0,46,f4,0b,ab,8e,d9,ad,68,95,c9,a8,12,68,68,1b,e7,b1,ec,83,4b,01,
    bd,bd,75,7d,9d,b5,72,e4,1e,8e,96,ae,ed,50,9f,e7,e3,9c,07,a1,b2,c3,9d,f6,3b,\
    "??"=hex:07,de,44,c3,e1,a5,2d,8c,3a,c1,a5,01,82,31,bd,c1

    [HKEY_USERS\S-1-5-21-4229386456-4079888766-2179590344-1000\Software\SecuROM\License information*]
    "datasecu"=hex:bd,4c,ac,6f,58,f0,54,34,b6,1e,09,4a,f8,9c,99,6d,c4,96,7a,30,e8,
    13,9b,74,cd,7d,a8,4e,50,b5,d4,09,96,4e,01,c5,44,8f,60,13,0c,07,01,ab,0c,db,\
    "rkeysecu"=hex:d1,f8,32,63,63,17,94,47,de,74,4d,e3,ec,e5,72,50

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    c:\windows\SYSTEM32\WISPTIS.EXE
    c:\program files\Common Files\microsoft shared\ink\TabTip.exe
    c:\windows\SYSTEM32\WISPTIS.EXE
    c:\program files\Common Files\microsoft shared\ink\TabTip.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\nexon\MapleStory\npkcmsvc.exe
    c:\windows\system32\PSIService.exe
    c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\Tablet.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Microsoft Windows OneCare Live\winss.exe
    c:\windows\system32\WTablet\TabUserW.exe
    c:\windows\system32\Tablet.exe
    c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    c:\windows\sttray.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2010-05-20 13:10:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-05-20 20:09

    Pre-Run: 15,862,607,872 bytes free
    Post-Run: 15,800,729,600 bytes free

    - - End Of File - - F788F31F2C3DADA7EBE2B53171FA3D4E











    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=663be20fb3b29849b3f4d64b7f08523e
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-05-21 02:32:24
    # local_time=2010-05-20 07:32:24 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=5892 16776574 100 95 30681447 110994491 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=473573
    # found=0
    # cleaned=0
    # scan_time=22180
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    P2P or 'file sharing Warning:
    You have LimeWire, Azureus and Vuze on the system, all from 2008. Note: Even if you are using a "safe" P2P program, it is only the program that is safe. We recommend uninstalling P2P or file sharing programs for these reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    I can include their removal in the script I'm writing for you if you'd like. If you do not want to uninstall the programs, please do not use them while I am helping clean the system.

    Let me know.
     
  6. dearpheona

    dearpheona TS Rookie Topic Starter

    I hate to say it but I would like to keep Limewire and Vuze,
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- but don't use now.

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\program files\Viewpoint\Common\ViewpointService.exe
    
    Folder::
    c:\programdata\Hitman Pro
    c:\program files\Hitman Pro 3.5
    
    Extra::
    File::
    c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    
    Firefox::
    Firefox-: Profile- c:\users\mae\appdata\roaming\mozilla\firefox\profiles\ee5mtgr4.default\
    
    DDS:
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    
    RegNull::
    [HKEY_USERS\S-1-5-21-4229386456-4079888766-2179590344-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    [HKEY_USERS\S-1-5-21-4229386456-4079888766-2179590344-1000\Software\SecuROM\License information*]
    
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    
    Driver::
    Viewpoint Manager Service
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
     
  8. dearpheona

    dearpheona TS Rookie Topic Starter

    Here is the log
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like you to run System Look again with slightly different file name:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
       iastor.sys
      
      [/code]
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Let me have the log please.By the way, did you know that once you have this group work on your system, they install their calling call? Geek Squad 24 Hour Computer Support

    How is the system running now?
     
  10. dearpheona

    dearpheona TS Rookie Topic Starter

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 11:25 on 22/05/2010 by Mae (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for " iastor.sys"
    No files found.

    -=End Of File=-



    It's running fantastic! No more redirects! Thank you so much for your help!!!

    And The Geek Squad stuff has been on there since I purchased this computer, I think. I got it from Best Buy so it's probably part of the software they include on all their products.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    So problems have been resolved? That's a good thing! As for the Geek Squad entry, I'd remove it- but it's not an issue.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Let me know if you need any more help.
     
  12. dearpheona

    dearpheona TS Rookie Topic Starter

    The problem is gone and my computer is back to running great. Thank you so much for your help... you've been absolutely amazing! :) I'm so grateful for this!!
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome. Here are tips to help you stay clean:

    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
    4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
    5. Use an AntiVirus Software(only one)
    See Virus, Spyware, and Malware Protection and Removal Resources

    6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
    Comodo or Zone Alarm
    7.Consider these programs for Extra Security
    • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...