Browser search redirect malware / virus

By kbrooks
Jun 3, 2010
Topic Status:
Not open for further replies.
  1. Greetings and thanks in advance.

    I have a Virus / Malware that redirects both Google and Yahoo search links. I routinely run Malwarebytes (MBAM) and have Avast and SpyBot continuously running. I have tried these security programs as well as smitfraudfix and fixwareout and continue to have problems.

    At this point, Avast quick scan detects no threats.
    I am attaching the following log files:

    MBAM: mbam-log.txt
    GMER: GMER.log
    DDS: dds.txt
    DDS: Attached.txt

    Thanks again,
    K

    Attached Files:

  2. kbrooks

    kbrooks Newcomer, in training Topic Starter

    ComboFix

    I noticed other users being asked to run ComboFix and decided to also run that. After running ComboFix, things appear to be working.

    Attached is the Combofix log: ComboFix-log.txt

    I look forward to your comments...

    Thanks again,
    K

    Attached Files:

  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    If you had checked the sticky next the the removal thread, you would have seen "do not run Combofix unless instructed to do so by your helper."

    Yes, we usually have most users run the program, but not necessarily right away, Understand that malware removal instructions are given specifically in what we see in the logs.

    Turn the Registry cleaner off. Do not make any changes to the Registry. Remove "Fix Wareout." Remove SmitFraud. Do not run any other cleaning programs or scans while I'm helping you unless instructed to do so.

    You have a Rootkit. I will return with some script as soon as I finish checking the logs. In the mean time, run this:

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  4. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Please, never run Combofix on your own.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\^.sys
    
    Folder::
    c:\documents and settings\LocalService\Application Data\McAfee
    
    
    Driver::
    ^
    p3.sys
    R1627Ka37
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  5. kbrooks

    kbrooks Newcomer, in training Topic Starter

    Broni,

    Thanks for you help. I apologize for running combofix, I should have seen the sticky.
    I have deleted Smitfraud and Fixwareout. Your response said to "turn the Registry Cleaner off". I'm not sure what you are referring to?
    I will wait to run ESET.

    Thanks
    K
  6. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    I'll leave this topic to Bobbye, since she replied first.
    Good luck :)
  7. kbrooks

    kbrooks Newcomer, in training Topic Starter

    Ran Eset, attach is the log file.
    Going to run Combofix with the provided script.

    Thanks again for your help,
    K

    Attached Files:

  8. kbrooks

    kbrooks Newcomer, in training Topic Starter

    OK, ran ComboFix with the provided script.
    Attached is the ComboFix log.

    Thanks much,
    K

    PS Is it normal for the script file to disappear? I don't seem to be able to find it now.

    Attached Files:

  9. kbrooks

    kbrooks Newcomer, in training Topic Starter

    Good morning Bobbye and Broni,
    I see that both of you have been present on the forum this morning. I also realized that in the posts above I have responded to requests from both of you. Broni, thanks for replying last night and passing this issue of to Bobbye.

    Bobbye, I ran Eset as you requested and the log is above. I also re-ran combo fix with the script provided by Broni; I initially thought this was the script you mentioned you would follow up with.

    Anyway, things seem to be running well. I looked at the Eset log and it looks like the only things it found were nasties that Spybot found and quarentined?

    I look forward to thoughts.
    Thanks,
    K
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Sorry- didn't mean to confuse things. I'm just getting to my computer today.

    You can go ahead and delete these files that Spybot Search & Destroy found:
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv9.zip
    They go from WinBankerfgv.zip> through WinBankerfgv41.zip and are not in order.

    This is the Registry cleaner:
    uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
    It shows running in the DDS log. But it looks like it was removed in the first Combofix report.
    Most if us don't recommend using a Registry cleaner.


    It did it's work!
    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below

    I'd like to move a few files:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    C:\fixwareout
    c:\documents and settings\All Users\Application Data\McAfee
    
    Registry::
    Driver::
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply

    ========================================
    Please check and make sure the fixwareout program Directory has been removed:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Show Hidden Folders/Files
    • Open My Computer> Go to Tools > Folder Options> Select the View tab.
    • Check Show hidden files and folders.
    • Uncheck (untick) Hide extensions of known file types.
    • Uncheck (untick) Hide protected operating system files (Recommended).
    • Click Yes when prompted> Click OK.
    Then double click on the Local Drive (C)> look for fixwareout and do a right click> Delete

    Go back and Reset Hidden/System Files & Folders
    Exit Windows Explorer
    ==============================
    To make sure there are no remaining bad entries: Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Please let me know if any of the original problems remain.
  11. kbrooks

    kbrooks Newcomer, in training Topic Starter

    Hi Bobbye,

    Thanks again for your help.

    1) ran combofix with you new script: log file is attached

    2) delete fixwareout program directory:
    This threw me for a loop. I read your post and before running combofix, I looked to see if the program directory was present. It was but I didn't delete it because I figured there was a reason you told me to delete it in safe mode. So after running combofix, I rebooted in safe mode and the directory was gone. I rebooted normally and checked and it was gone. I searched for it and it looks like combofix quarantined it. Anyway, its gone .

    3) ran Hijackthis:
    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 03:38:19 PM, on 6/4/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Digital Media Reader\shwicon2k.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kodak\AiO\center\KodakSvc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Absolute Poker - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
    O9 - Extra 'Tools' menuitem: Absolute Poker - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
    O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\AiO\center\KodakSvc.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: postgresql-8.4 - PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    --
    End of file - 8852 bytes

    -------------------------------------------------------------------
    Think that's all.
    Thanks,
    K

    Attached Files:

     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Sorry, I thought I had the link for the direct download. But there ere 2 versions on the page and instead of choosing Version 2.0.4, you picked the Beta version. I'm going to have to change that.

    Are you actively using and okay with PostgreSQL? I note you have the Service running:
    O23 - Service: postgresql-8.4 - PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe

    Combofix is questioning it for some reason.. There are also questions about the following:
    AMD Special Tools and AMDMSRIO
    The second driver, AMDMSRIO is running from the temp files and is for 'Safe To Delete 3_0_4_8'
    The 2 appear to be legitimate processes, but malware can hide anywhere.
    ========================================
    Before you run the script again, please let me know about the AMD Tools and Safe to Delete programs. IF you are not using these, I can include them in the script. If they are okay, just go ahead with the following:

    I also notice that a driver Broni had set up for removal is still present:

    The ^ is a Circumflex accent and I don't know why it shows here:
    S1 ^;^;c:\windows\system32\drivers\^.sys [1/23/2010 08:51 AM 0]

    Let try the removal again:

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\^.sys 
    Folder::
    
    RegDel::
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ä]
    Driver::
    [B]^[/B]
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
  13. kbrooks

    kbrooks Newcomer, in training Topic Starter

    Hi Bobbye,
    I now have Version 2.0.4 of Hijackthis.

    1) PostgreSQL: Yes I use this. Is there a problem with it; something else better?

    2) amdtools.sys and AMDMSRIO.sys:
    I can not find these on my computer? I searched for them on my c: drive and do not see them. I don't understand where the reference comes from. Do they come from the registry?

    I also see these driver references in Security Task Manager along with others that are grayed out, as if they are referenced somewhere but no longer present. The Error is, "The system cannot find the file specified". Are these the result of bad registry entries?

    I guess we can update the script to remover the two additional drivers? What do you think?

    Thanks,
    K
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Yes, I can remove the AMD Tools entries. It might have been something that was preloaded. No problem with SQL but you might want to check and see if there is a driver update available.

    Please leave the Combofix after running the script. I'll add any remaining entries to be moved.

    How are you on the original problems? Have they been resolved?
  15. kbrooks

    kbrooks Newcomer, in training Topic Starter

    Hi Bobbye,

    1) I'll check on updated SQL drivers

    2) I dont understand this:
    "Please leave the Combofix after running the script. I'll add any remaining entries to be moved."

    3) The original problems seem to be resolved

    Thanks,
    K
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Sorry- I forgot I out this line in: "Before you run the script again, please let me know about the AMD Tools and Safe to Delete programs. IF you are not using these, I can include them in the script. If they are okay, just go ahead with the following:"
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\^.sys 
    c:\windows\system32\DRIVERS\amdtools.sys
    c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys 
    Folder::
    
    Registry::
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ä]
    
    Driver::
    [B]^[/B]
    amdtools
    AMDMSRIO
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Okay, I've added the other entries. Go ahead and run it, then leave the report. If the files have been moved and the problems resolved, I'll have you remove the cleaning tools.
  17. kbrooks

    kbrooks Newcomer, in training Topic Starter

    Hello Bobbye,

    Attached is the combofix log.

    Thanks,
    K

    Attached Files:

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Did you do something with the PostgreSQL driver? All of these processes are now running:
    c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
    c:\program files\PostgreSQL\8.4\bin\postgres.exe
    c:\program files\PostgreSQL\8.4\bin\postgres.exe
    c:\program files\PostgreSQL\8.4\bin\postgres.exe
    c:\program files\PostgreSQL\8.4\bin\postgres.exe
    c:\program files\PostgreSQL\8.4\bin\postgres.exe
    c:\program files\PostgreSQL\8.4\bin\postgres.exe
  19. kbrooks

    kbrooks Newcomer, in training Topic Starter

    I had not done anything with PostgreSQL.

    I decided to backup my database, uninstall PostgreSQL and reinstall a slightly newer version.

    While doing that I found this:

    -- I'm seeing a lot of postgres.exe processes even though I only started the server once
    This is normal. PostgreSQL uses a multi-process architecture. In an empty system you will see anything from two to five processes. Once clients start to connect, the number of processes will increase.

    So it seems this is normal.

    Anything else we need to do?

    thanks for ur help,
    K
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're almost there, but there's a Registry entry remaining related to a driver we removed:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\^.sys
    Folder::
    
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\^]
    @=""
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\^]
    @="Driver"
    
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
    
    Driver::
    [B]^[/B]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    I'll check this log then have you remove the tools.
  21. kbrooks

    kbrooks Newcomer, in training Topic Starter

    Hi Bobbye,

    Attached is the latest ComboFix log.

    But.....

    Now something has changed and my database no longer works.

    I ran ComboFIx with the requested batch file. I had to leave while ComboFix was running. When I returned a few hours later, the computer was sleeping. Combofix then finished writing the report.

    I started to reply to you with the log and also restarted the program I use that uses the database. The program would not work (it could not get access to the database). So I uninstalled PostgreSQL and reinstalled it. Now the data base wont work. I get the following error:

    ------------------------------------
    Server doesn't listen

    The server doesn't accept connections: the connection library reports

    could not connect to server: Connection refused (0x0000274D/10061) Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432?

    If you encounter this message, please check if the server you're trying to contact is actually running PostgreSQL on the given port. Test if you have network connectivity from your client to the server host using ping or equivalent tools. Is your network / VPN / SSH tunnel / firewall configured correctly?

    For security reasons, PostgreSQL does not listen on all available IP addresses on the server machine initially. In order to access the server over the network, you need to enable listening on the address first.

    For PostgreSQL servers starting with version 8.0, this is controlled using the "listen_addresses" parameter in the postgresql.conf file. Here, you can enter a list of IP addresses the server should listen on, or simply use '*' to listen on all available IP addresses. For earlier servers (Version 7.3 or 7.4), you'll need to set the "tcpip_socket" parameter to 'true'.

    You can use the postgresql.conf editor that is built into pgAdmin III to edit the postgresql.conf configuration file. After changing this file, you need to restart the server process to make the setting effective.

    If you double-checked your configuration but still get this error message, it's still unlikely that you encounter a fatal PostgreSQL misbehaviour. You probably have some low level network connectivity problems (e.g. firewall configuration). Please check this thoroughly before reporting a bug to the PostgreSQL community.
    -----------------------------------

    Could something have happened while running ComboFix this last time?

    Thanks,
    K

    Attached Files:

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    There has been a question about this process since the first Combofix report:
    In my reply #12:
    Your reply #15:
    My reply #18:
    Your answer in Reply #19:
    Your latest Combofix report:
    2010-06-08 03:55 -------- d-----w- c:\program files\PostgreSQL

    R2 postgresql-8.4;postgresql-8.4 - PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe r[/QUOTE]unservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]

    There is still a question about this driver/Service

    But you have data loading from the Registry:
    And in "Other running processes":
    And this entry continues- I don't know if it's related or not:
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    The PrismXL service lets the Client deploy Tasks on a target computer regardless of the current user.s permissions.

    I am not familiar with the PostgreSQL program. To the best of my knowledge, none of the entries that were moved related to this program. You will need to explore this problem on their support site. I let you know there was some question about it early on.

    From the message you quoted:
    If you double-checked your configuration but still get this error message, it's still unlikely that you encounter a fatal PostgreSQL misbehaviour. You probably have some low level network connectivity problems (e.g. firewall configuration)

    When you refer to 'listening', 'ports' and "Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432?" it means configuration.
  23. kbrooks

    kbrooks Newcomer, in training Topic Starter

    Hi Bobbye,
    ok...
    -- PRISMXL.SYS is software from gateway that came with the computer.

    I have uninstalled and reinstalled PostgreSQL and the database program that uses it. Everything seems to be running normal now.

    Do you think we should do some kind of final scan or should we remove the tools?
    thanks,
    Kip
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    If this is clean, I'll have you remove the cleaning tools.
    Please lave log in next reply.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.