Browser search redirect malware / virus

Status
Not open for further replies.

kbrooks

Posts: 13   +0
Greetings and thanks in advance.

I have a Virus / Malware that redirects both Google and Yahoo search links. I routinely run Malwarebytes (MBAM) and have Avast and SpyBot continuously running. I have tried these security programs as well as smitfraudfix and fixwareout and continue to have problems.

At this point, Avast quick scan detects no threats.
I am attaching the following log files:

MBAM: mbam-log.txt
GMER: GMER.log
DDS: dds.txt
DDS: Attached.txt

Thanks again,
K
 

Attachments

  • mbam-log.txt
    894 bytes · Views: 2
  • GMER.log
    9.6 KB · Views: 3
  • DDS.txt
    14 KB · Views: 3
  • Attach.txt
    15.5 KB · Views: 1
ComboFix

I noticed other users being asked to run ComboFix and decided to also run that. After running ComboFix, things appear to be working.

Attached is the Combofix log: ComboFix-log.txt

I look forward to your comments...

Thanks again,
K
 

Attachments

  • ComboFix-log.txt
    22 KB · Views: 4
If you had checked the sticky next the the removal thread, you would have seen "do not run Combofix unless instructed to do so by your helper."

Yes, we usually have most users run the program, but not necessarily right away, Understand that malware removal instructions are given specifically in what we see in the logs.

Turn the Registry cleaner off. Do not make any changes to the Registry. Remove "Fix Wareout." Remove SmitFraud. Do not run any other cleaning programs or scans while I'm helping you unless instructed to do so.

You have a Rootkit. I will return with some script as soon as I finish checking the logs. In the mean time, run this:

Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
 
Please, never run Combofix on your own.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\system32\drivers\^.sys

Folder::
c:\documents and settings\LocalService\Application Data\McAfee


Driver::
^
p3.sys
R1627Ka37

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Broni,

Thanks for you help. I apologize for running combofix, I should have seen the sticky.
I have deleted Smitfraud and Fixwareout. Your response said to "turn the Registry Cleaner off". I'm not sure what you are referring to?
I will wait to run ESET.

Thanks
K
 
Ran Eset, attach is the log file.
Going to run Combofix with the provided script.

Thanks again for your help,
K
 

Attachments

  • Eset-log.txt
    7.7 KB · Views: 1
OK, ran ComboFix with the provided script.
Attached is the ComboFix log.

Thanks much,
K

PS Is it normal for the script file to disappear? I don't seem to be able to find it now.
 

Attachments

  • ComboFix-log-II.txt
    23.6 KB · Views: 2
Good morning Bobbye and Broni,
I see that both of you have been present on the forum this morning. I also realized that in the posts above I have responded to requests from both of you. Broni, thanks for replying last night and passing this issue of to Bobbye.

Bobbye, I ran Eset as you requested and the log is above. I also re-ran combo fix with the script provided by Broni; I initially thought this was the script you mentioned you would follow up with.

Anyway, things seem to be running well. I looked at the Eset log and it looks like the only things it found were nasties that Spybot found and quarentined?

I look forward to thoughts.
Thanks,
K
 
Sorry- didn't mean to confuse things. I'm just getting to my computer today.

You can go ahead and delete these files that Spybot Search & Destroy found:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv9.zip
They go from WinBankerfgv.zip> through WinBankerfgv41.zip and are not in order.

This is the Registry cleaner:
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
It shows running in the DDS log. But it looks like it was removed in the first Combofix report.
Most if us don't recommend using a Registry cleaner.


PS Is it normal for the script file to disappear? I don't seem to be able to find it now.
It did it's work!
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below

I'd like to move a few files:

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::

Folder::
C:\fixwareout
c:\documents and settings\All Users\Application Data\McAfee

Registry::
Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply

========================================
Please check and make sure the fixwareout program Directory has been removed:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Show Hidden Folders/Files
  • Open My Computer> Go to Tools > Folder Options> Select the View tab.
  • Check Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted> Click OK.
Then double click on the Local Drive (C)> look for fixwareout and do a right click> Delete

Go back and Reset Hidden/System Files & Folders
Exit Windows Explorer
==============================
To make sure there are no remaining bad entries: Download the HijackThis Installer HERE and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please let me know if any of the original problems remain.
 
Hi Bobbye,

Thanks again for your help.

1) ran combofix with you new script: log file is attached

2) delete fixwareout program directory:
This threw me for a loop. I read your post and before running combofix, I looked to see if the program directory was present. It was but I didn't delete it because I figured there was a reason you told me to delete it in safe mode. So after running combofix, I rebooted in safe mode and the directory was gone. I rebooted normally and checked and it was gone. I searched for it and it looks like combofix quarantined it. Anyway, its gone .

3) ran Hijackthis:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 03:38:19 PM, on 6/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\center\KodakSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\AiO\center\KodakSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: postgresql-8.4 - PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8852 bytes

-------------------------------------------------------------------
Think that's all.
Thanks,
K
 

Attachments

  • ComboFix-log-III.txt
    23.2 KB · Views: 1
Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Sorry, I thought I had the link for the direct download. But there ere 2 versions on the page and instead of choosing Version 2.0.4, you picked the Beta version. I'm going to have to change that.

Are you actively using and okay with PostgreSQL? I note you have the Service running:
O23 - Service: postgresql-8.4 - PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe

Combofix is questioning it for some reason.. There are also questions about the following:
AMD Special Tools and AMDMSRIO
The second driver, AMDMSRIO is running from the temp files and is for 'Safe To Delete 3_0_4_8'
The 2 appear to be legitimate processes, but malware can hide anywhere.
========================================
Before you run the script again, please let me know about the AMD Tools and Safe to Delete programs. IF you are not using these, I can include them in the script. If they are okay, just go ahead with the following:

I also notice that a driver Broni had set up for removal is still present:

The ^ is a Circumflex accent and I don't know why it shows here:
S1 ^;^;c:\windows\system32\drivers\^.sys [1/23/2010 08:51 AM 0]

Let try the removal again:

Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\drivers\^.sys 
Folder::

RegDel::
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ä]
Driver::
[B]^[/B]
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
 
Hi Bobbye,
I now have Version 2.0.4 of Hijackthis.

1) PostgreSQL: Yes I use this. Is there a problem with it; something else better?

2) amdtools.sys and AMDMSRIO.sys:
I can not find these on my computer? I searched for them on my c: drive and do not see them. I don't understand where the reference comes from. Do they come from the registry?

I also see these driver references in Security Task Manager along with others that are grayed out, as if they are referenced somewhere but no longer present. The Error is, "The system cannot find the file specified". Are these the result of bad registry entries?

I guess we can update the script to remover the two additional drivers? What do you think?

Thanks,
K
 
Yes, I can remove the AMD Tools entries. It might have been something that was preloaded. No problem with SQL but you might want to check and see if there is a driver update available.

Please leave the Combofix after running the script. I'll add any remaining entries to be moved.

How are you on the original problems? Have they been resolved?
 
Hi Bobbye,

1) I'll check on updated SQL drivers

2) I dont understand this:
"Please leave the Combofix after running the script. I'll add any remaining entries to be moved."

3) The original problems seem to be resolved

Thanks,
K
 
Sorry- I forgot I out this line in: "Before you run the script again, please let me know about the AMD Tools and Safe to Delete programs. IF you are not using these, I can include them in the script. If they are okay, just go ahead with the following:"
I guess we can update the script to remover the two additional drivers? What do you think?

Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\drivers\^.sys 
c:\windows\system32\DRIVERS\amdtools.sys
c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys 
Folder::

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ä]

Driver::
[B]^[/B]
amdtools
AMDMSRIO
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Okay, I've added the other entries. Go ahead and run it, then leave the report. If the files have been moved and the problems resolved, I'll have you remove the cleaning tools.
 
Hello Bobbye,

Attached is the combofix log.

Thanks,
K
 

Attachments

  • ComboFix-log-IIII.txt
    23.7 KB · Views: 2
Did you do something with the PostgreSQL driver? All of these processes are now running:
c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
 
I had not done anything with PostgreSQL.

I decided to backup my database, uninstall PostgreSQL and reinstall a slightly newer version.

While doing that I found this:

-- I'm seeing a lot of postgres.exe processes even though I only started the server once
This is normal. PostgreSQL uses a multi-process architecture. In an empty system you will see anything from two to five processes. Once clients start to connect, the number of processes will increase.

So it seems this is normal.

Anything else we need to do?

thanks for ur help,
K
 
You're almost there, but there's a Registry entry remaining related to a driver we removed:

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\drivers\^.sys
Folder::

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\^]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\^]
@="Driver"

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

Driver::
[B]^[/B]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
I'll check this log then have you remove the tools.
 
Hi Bobbye,

Attached is the latest ComboFix log.

But.....

Now something has changed and my database no longer works.

I ran ComboFIx with the requested batch file. I had to leave while ComboFix was running. When I returned a few hours later, the computer was sleeping. Combofix then finished writing the report.

I started to reply to you with the log and also restarted the program I use that uses the database. The program would not work (it could not get access to the database). So I uninstalled PostgreSQL and reinstalled it. Now the data base wont work. I get the following error:

------------------------------------
Server doesn't listen

The server doesn't accept connections: the connection library reports

could not connect to server: Connection refused (0x0000274D/10061) Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432?

If you encounter this message, please check if the server you're trying to contact is actually running PostgreSQL on the given port. Test if you have network connectivity from your client to the server host using ping or equivalent tools. Is your network / VPN / SSH tunnel / firewall configured correctly?

For security reasons, PostgreSQL does not listen on all available IP addresses on the server machine initially. In order to access the server over the network, you need to enable listening on the address first.

For PostgreSQL servers starting with version 8.0, this is controlled using the "listen_addresses" parameter in the postgresql.conf file. Here, you can enter a list of IP addresses the server should listen on, or simply use '*' to listen on all available IP addresses. For earlier servers (Version 7.3 or 7.4), you'll need to set the "tcpip_socket" parameter to 'true'.

You can use the postgresql.conf editor that is built into pgAdmin III to edit the postgresql.conf configuration file. After changing this file, you need to restart the server process to make the setting effective.

If you double-checked your configuration but still get this error message, it's still unlikely that you encounter a fatal PostgreSQL misbehaviour. You probably have some low level network connectivity problems (e.g. firewall configuration). Please check this thoroughly before reporting a bug to the PostgreSQL community.
-----------------------------------

Could something have happened while running ComboFix this last time?

Thanks,
K
 

Attachments

  • ComboFix-log-V.txt
    22.8 KB · Views: 1
There has been a question about this process since the first Combofix report:
In my reply #12:
Are you actively using and okay with PostgreSQL? I note you have the Service running:
O23 - Service: postgresql-8.4 - PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe
Combofix is questioning it for some reason

Your reply #15:
1) I'll check on updated SQL drivers
My reply #18:
Did you do something with the PostgreSQL driver? All of these processes are now running:
c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe

Your answer in Reply #19:
I had not done anything with PostgreSQL.
I decided to backup my database, uninstall PostgreSQL and reinstall a slightly newer version.
While doing that I found this:
-- I'm seeing a lot of postgres.exe processes even though I only started the server once
This is normal. PostgreSQL uses a multi-process architecture. In an empty system you will see anything from two to five processes. Once clients start to connect, the number of processes will increase. So it seems this is normal.

Your latest Combofix report:
2010-06-08 03:55 -------- d-----w- c:\program files\PostgreSQL

R2 postgresql-8.4;postgresql-8.4 - PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe r[/QUOTE]unservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]

There is still a question about this driver/Service

But you have data loading from the Registry:
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"

And in "Other running processes":
c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
And this entry continues- I don't know if it's related or not:
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
The PrismXL service lets the Client deploy Tasks on a target computer regardless of the current user.s permissions.

I am not familiar with the PostgreSQL program. To the best of my knowledge, none of the entries that were moved related to this program. You will need to explore this problem on their support site. I let you know there was some question about it early on.

From the message you quoted:
If you double-checked your configuration but still get this error message, it's still unlikely that you encounter a fatal PostgreSQL misbehaviour. You probably have some low level network connectivity problems (e.g. firewall configuration)

When you refer to 'listening', 'ports' and "Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432?" it means configuration.
 
Hi Bobbye,
ok...
-- PRISMXL.SYS is software from gateway that came with the computer.

I have uninstalled and reinstalled PostgreSQL and the database program that uses it. Everything seems to be running normal now.

Do you think we should do some kind of final scan or should we remove the tools?
thanks,
Kip
 
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If this is clean, I'll have you remove the cleaning tools.
Please lave log in next reply.
 
Status
Not open for further replies.
Back