[Closed] Suspected malware or virus

By oldschooltie
Sep 4, 2011
Topic Status:
Not open for further replies.
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The deletions showing in Combofix are unusual> The CyberLink\PowerDVD\ should be running from the program files. Combofix deletions were from apps. What was your source for Cyberlink?

    I was trying to see the rest of the log starting with the ection:
    ((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 )))))))))))))))))))))))))))))))
    =======================================
    Please download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.

    After I review the log from above, I'll make the decision of what to do.

    Please do not leave me any other logs unless I request them.
  2. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    cyberlink source

    Powerdvd was already installed on PC when bought new from PC World.
  3. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    CKScanner log

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
    scanner sequence 3.NA.11.TSAPOX
    ----- EOF -----
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
    ================================================
    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
      =====================================================
      Now download it new and run it again:
      --------------------------------------
      Download Combofix from HERE or HERE and save to the desktop
      • Double click combofix.exe & follow the prompts.
      • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
        **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      • Once installed, you should see a blue screen prompt that says:
        The Recovery Console was successfully installed.
      • .Click on Yes, to continue scanning for malware
      • .If Combofix asks you to update the program, allow
      • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • .Close any open browsers.
      • .Double click combofix.exe[​IMG] & follow the prompts to run.
      • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
      Re-enable your Antivirus software.

      Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
      Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
      =======================================
      Please leave only the 2 logs from these scans> Nothing else.


      > Leave that log in your nexr post>

      Do not leave any other logs at this time.
  5. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    mga diagnostics

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-YXDGW-VHYVW-9QK9M
    Windows Product Key Hash: H7Smr1ocYUxDDsppdbyzUwQFi5U=
    Windows Product ID: 76487-OEM-2211906-00824
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 5.1.2600.2.00010100.3.0.med
    ID: {A061C278-C822-4EC9-BAB7-DECBA45F6AFA}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{A061C278-C822-4EC9-BAB7-DECBA45F6AFA}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.med</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-9QK9M</PKey><PID>76487-OEM-2211906-00824</PID><PIDType>2</PIDType><SID>S-1-5-21-2768898766-1709843061-3480073571</SID><SYSTEM><Manufacturer>Packard Bell BV</Manufacturer><Model>00000000000000000000000</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>20Q</Version><SMBIOSVersion major="2" minor="3"/><Date>20060719000000.000000+000</Date><SLPBIOS>NECC_,NEC-PC,NEC Computers,NEC_Product</SLPBIOS></BIOS><HWID>F52B3C070184C06C</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Packard Bell</name><model>Packard Bell Computer</model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65050</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Licensing Data-->
    N/A

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    N/A

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 100A0:packard Bell B.V|100A0:packard Bell B.V|1FA67:packard Bell B.V|1FA67:packard Bell B.V
    Marker string from OEMBIOS.DAT: NECC_,NEC-PC,NEC Computers,NEC_Product

    OEM Activation 2.0 Data-->
    N/A
  6. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    Combofix scan

    ComboFix 11-09-24.04 - Owner 25/09/2011 8:10.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.417 [GMT 1:00]
    Running from: d:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\apps
    d:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
    d:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-25 05:55 . 2011-09-25 05:55 -------- d-----w- d:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-09-25 05:45 . 2011-09-25 05:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-15 22:01 . 2011-09-15 22:01 -------- d-----w- c:\program files\ESET
    2011-09-15 21:36 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-09-15 21:35 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-09-09 17:03 . 2011-09-09 17:03 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-09-09 09:12 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
    2011-09-04 22:17 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-09-04 22:17 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-04 19:59 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-09-04 19:59 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-09-04 19:59 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-09-04 19:59 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-09-04 19:59 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-09-04 19:59 . 2011-09-06 20:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-09-04 19:59 . 2011-09-06 20:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-09-04 19:59 . 2011-09-06 20:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-09-04 19:59 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
    2011-09-04 19:59 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-09-04 19:59 . 2011-09-04 19:59 -------- d-----w- d:\documents and settings\All Users\Application Data\AVAST Software
    2011-09-04 19:59 . 2011-09-04 19:59 -------- d-----w- c:\program files\AVAST Software
    2011-09-04 19:32 . 2011-09-04 19:32 -------- d-----w- d:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
    2011-09-04 15:36 . 2011-09-04 15:37 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\Facebook
    2011-09-03 15:20 . 2011-09-04 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-02 15:50 . 2009-06-15 04:11 3866528 ----a-w- c:\windows\system32\Flash10b.ocx
    2011-09-02 15:50 . 2011-09-02 15:50 -------- d-----w- c:\program files\BRC
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:12 . 2004-09-10 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-07-15 13:29 . 2004-09-10 13:57 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2004-09-10 13:57 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
    "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-02-24 385928]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-01 39408]
    "Facebook Update"="d:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-09-04 137536]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "SMSERIAL"="sm56hlpr.exe" [2005-10-18 557056]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7573504]
    "nwiz"="nwiz.exe" [2006-04-27 1519616]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-27 86016]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
    "RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-08-10 26112]
    "Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]
    "DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o&inst=NzctNjg4NjgxMTE5LVZJUCsxLVNQMSsxLUZMMTArMS1YTzEwKzExLVRVRyszLUREVCsxNjE1MC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzE&prod=90&ver=10.0.1392" [?]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%ProgramFiles%\\AOL 9.0\\aol.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [04/09/2011 20:59 442200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/09/2011 20:59 320856]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/09/2011 20:59 20568]
    R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [04/05/2010 13:07 503080]
    R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [10/08/2006 13:47 825600]
    R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [10/08/2006 13:47 7040]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/04/2011 11:29 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/04/2011 11:29 135664]
    S3 KKSJF;KKSJF;d:\docume~1\Owner\LOCALS~1\Temp\KKSJF.exe --> d:\docume~1\Owner\LOCALS~1\Temp\KKSJF.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-18 c:\windows\Tasks\doxillionShakeIcon.job
    - c:\program files\NCH Software\Doxillion\doxillion.exe [2011-05-02 18:10]
    .
    2011-09-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2768898766-1709843061-3480073571-1005Core.job
    - d:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-04 15:36]
    .
    2011-09-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2768898766-1709843061-3480073571-1005UA.job
    - d:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-04 15:36]
    .
    2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 10:28]
    .
    2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 10:28]
    .
    2011-09-24 c:\windows\Tasks\User_Feed_Synchronization-{7ABDF7C0-AAD1-4552-9F1F-BDAF6DC4EAF8}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
    .
    2011-05-02 c:\windows\Tasks\videopadShakeIcon.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2011-04-24 11:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.co.uk/
    uInternet Connection Wizard,ShellNext = hxxp://bt.yahoo.com/start?.pd=l%3Danthonygodfrey11@btinternet.com%26c%3DK1gXhD2p2e7uH.80E1C6CGax
    uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    TCP: DhcpNameServer = 192.168.0.1
    DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} - hxxps://xchecker.reed.co.uk/Scanning/DynamicWebTwain.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-25 08:21
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(600)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    - - - - - - - > 'explorer.exe'(1768)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-09-25 08:26:00
    ComboFix-quarantined-files.txt 2011-09-25 07:25
    .
    Pre-Run: 18,054,897,664 bytes free
    Post-Run: 18,058,801,152 bytes free
    .
    - - End Of File - - BB91B1C95E8C95908984C7150EDF7759
  7. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    Update

    The redirect problem is getting worse. Were the combofix logs all pesent?
  8. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    I am using laptop to post this message as the PC we are trying to fix is now virtually unuseable. Please help.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    If you can do anything at all, please run this:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    d:\docume~1\Owner\LOCALS~1\Temp\KKSJF.exe 
    Folder::
    DDS::
    mSearch Page =
    uInternet Connection Wizard,ShellNext = hxxp://bt.yahoo.com/start?.pd=l%3Danthonygodfrey11@btinternet.com%26c%3DK1gXhD2p2e7uH.80E1C6CGa x
    uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\progra~1\bearsh~1\mediabar\toolbar\BearshareMediabarDx.dll
    mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=24421b500000000000000016e61b4c16&tlver =1.4.19.19&affID=17160
    TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\progra~1\bearsh~1\mediabar\toolbar\BearshareMediabarDx.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o"&"inst=NzctNjg4Njg xMTE5LVZJUCsxLVNQMSsxLUZMMTArMS1YTzEwKzExLVRVRyszLUREVCsxNjE1MC1MU0QrMi1ERD EwRisxLVNUMTBGQVBQKzE"&"prod=90"&"ver=10.0.1392
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    Driver::
    KKSJF
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I suggest removing these from Scheduled TasK:
    Click on Start> Run> type in cmd> enter> at the blinking C Prompt type in each of the following with 'enter after each:
    Note: there is a space before each /
    Code:
    schtasks /end /FacebookUpdateTaskUse>>> 2 entries for this
    
    schtasks /end /NCH Software\Doxillion\doxillion.ex
    
    In response, SchTasks.exe stops the instance of Notepad.exe that the task started, and it displays the following success message:

    SUCCESS: The Scheduled Task "xxxxxx" has been terminated successfully.

    If you have a problem or want to see other options, check HERE for the specific Commands.
    /schtasks.mspx?mfr=true
    =================================================
    red(windows?) shield with a white"x" on it and a bubble saying firewall is not on and I may be at risk.
    That will be emedies.
  10. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    combofix scan

    Hi - followed above instructions to run combofix. combofix runs for approx 30 seconds and then stops/disappears/ends? I am not sure if it has completed what it needs to do but I cannot find any log produced from this scan to post.
    Will continue now with the scheduled tast suggestions.
  11. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    Scheduled tasks

    After Start>run>cmd>enter I get - D:/Documents and Settings\owner> and if i put in the codes given I get - Error - Invalid argument option
    What next please? Thanks.
  12. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    Scheduled tasks - continued

    If I use link given I get - page cannot be found.

    I have tried running script through Combofix and it runs for about 30 seconds. the screen prompt then disappears and nothing else happens.I dont know if combofix has completed at this point. I cannot find any log to post. Where should I look?
    I am still being redirected. If not redirected when searching internet, occasionally a redirected address pops up in browser bar when searching with IE but eventually gives a relevant page.
    I will be away from my PC for 4 days. will continue on my return.
    Thanks.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Hold on stopping the Scheduled Tasks for now.

    1. Are you still being redirected?
    2. Try running the script again. You already have Combofix on the desktop.
    3. Please use the Edit feature instead of making a new post for one sentence. I get email feedback for each reply and it can be overwhelming at times!
     
  14. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    Next step

    What is the next step to try please?
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

  16. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    update

    If I use link given I get - page cannot be found.

    I have tried running script through Combofix and it runs for about 30 seconds. the screen prompt then disappears and nothing else happens.I dont know if combofix has completed at this point. I cannot find any log to post. Where should I look?
    I am still being redirected. If not redirected when searching internet, occasionally a redirected address pops up in browser bar when searching with IE but eventually gives a relevant page.
    I will be away from my PC for 4 days. will continue on my return.
    Thanks.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay. We'll try a different approach when you return.
  18. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    Ok Got back early. What is our next step please?
  19. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    Next Step

    Awaiting instructions for next step please.
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    A review:

    Does the redirect happen with all browsers?
    Does the redirect happen with all search engines?
    ---------------------------------
    As previously explained, the icons in that area, Notification Area, are for programs or processes that are running. It's normal to see the clock, the volume icon, the antivirus icon and 1 or 2 connection icons. Having icons show in the area has some control:
    Right click in empty area near clock> click on 'Customize Notification Area> Click to Highlight the icon you want to change> set to one of these 3 settings:
    Always Show
    Always Hide
    Hide when inactive
    When finished> OK> Apply> OK
    ---------------------------------
    Note: These settings don't always hold. Keep in mind that if they represent programs you have checked on the Startup menu to start on boot, then run in the background, it is more effective to uncheck program on the Startup Menu and not hide the icon
    ====================================
    If this is the legitimate Security Center icon, you are being alerted about the firewall status.

    Note: Some rogue programs will show an icon "similar to" the legitimate security center icon, to make you think there is a problem when there may not be. The (Rogue.SystemSmartSecurity)[/b[ found on your system is one of these type of programs.
    ======================================
    The multiple Mbam logs you left show new malware in each.
    =====================================
    The DDS log showed duplicate security programs:
    AV: System Smart Security *Enabled/Updated*
    AV: avast! Antivirus *Enabled/Updated*
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated*
    FW: System Smart Security *Enabled*
    FW: McAfee Firewall *Enabled*
    FW: AVG Firewall *Disabled*

    Once the malware for Smart Security has been removed, I can write script to remove it from the security scans headers.
    But you should only have 1 AV program and 1 firewall- decide on which to keep, uninstall the other.
    ===================================
    Combofix deleted a large number of multiple entries from
    c:\apps\DOC\01\Common\Monitor
    c:\apps\DOC\01\Common\howto
    c:\apps\DOC\01\Common\acsry
    c:\apps\CyberLink\PowerDVD\AVSettings
    c:\apps\DOC\01\Brand\howto
    c:\apps\DOC\01\Brand\Navigate
    c:\apps\DOC\01\Common\Desktop
    c:\apps\DOC\01\Common\Drives
    c:\apps\DOC\SETUP\01\Hardware
    and possibly others. Many were images, but there was text also

    I ask about these in Reply #48:but did not get any reply./B]
    What is the source of these please?
    =====================================
    It seems that Avast Web Shield began identifying infection: html:Iframe-inf on ta site or some sites.. Malware was found on the site and according to posts 10/6/2011, it was supposedly cleaned up. But if Avast blocks a site, it's doing it's job. IF Avast blocks a site that you know is a good site, then you can be concerned if it's a False Positive and should check the Avast Forums for news of this.
    =====================================
    We've been at this for a while. Please tell me hoiw the system is doing and exactly what problems remain that you think are malware related.
  21. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    Review notes

    Hi and thanks for your help. Here are some notes on your review so far.

    Redirection is still a problem and no better than when we started.

    I use internet explorer.
    I have yahoo as home page. Any search redirects from yahoo home page. If I search for google.com or google.co.uk I get this message - "404 Not Found - nginx"
    On top right of screen there is a box with the Google logo in it. If I type into this box a search topic I always get sent to Gala Search Directory. Any search from this page gives the "404 Not Found" message again.
    I have tried Bing as a browser and this redirects too. I Tried Webcrawler and this brings search results up in a new window and does not redirect. It will not however allow any links to google and I get the "404" message still. I have not tried any other browsers as most seem to need downloading and, without your instruction, I do not want to compound the issue.
    I dont know how to try another search engine and will not do this without your assistance.
    Windows Security Center shows Avast a/v and windows firewall. I believe no other security or firewall is present after following your instructions for removal.
    Regarding entries Combofix deleted i.e. C:\apps\Doc\01\Common\Monitor etc
    You ask what is the source of these? I do not know what you mean by this as stated in reply #48 - How do I get you this info.

    Hope this info will clarify things.
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Looks like you put Google docs on the system, possibly for Android, doc to html c apps iPhone, iPad APP
    Others were the Emoji app to use emoticons in my texts for iPhone> Japanese emoticons on iPhone
    Apparently people were using emoji-unlocking apps to steal the icons. Apple cracks down on emoji apps and removed the unlockers from their app store in Japan and that "future apps that involve the icons will be rejected in the mysterious approval process.

    I suppose that's why yours were removed.You used the Ulead Video ToolBox (UVTB2) app in the process of getting the images.
    ===================================
    I don't think you are having a redirect> that's not what a 404 error is> that error is telling you the page isn't there. This can mean one of 2 things: 1. The page is the sitw in the YRL no longer exists or 2. the URL wasn't any good.

    The 404 error wasn't in the original post. What sites are you getting this error on?

    It's possible that the host files have been hijacked although they aren't showing up in the logs. We need to sort out the problems. You have mentioned multiple problems and left an excess of logs. We need to cut that down and try to focus on 1 thing.
    ============================================
    Sometimes simple is better- let's take a look at the host files:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ======================================
    [​IMG]
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply.
    ===========================================
    Note: Leave log for HijackThis- don't change anything.
    Leave log for Superantispyware and be sure to check the line Make sure everything found has a checkmark next to it

    No other logs. No other problems. I have checked both of these links and both are working. You can leave an example of a 404 page URL.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I don't think I had you do this, so please do it now:

    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.
  24. oldschooltie

    oldschooltie Newcomer, in training Topic Starter Posts: 68

    update and example.

    Hi
    I have Looked at LAN settings and "Use a proxy server for your LAN" was already unchecked.

    The 404 message is usually only when either trying to use anything "Google" related. Including the box on top right of homepage with Google logo (which sends me to Gala) in it. The 404 message very rarely comes up if I stay clear of Google.
    Incidently - before contacting TechSpot I tried microsoft as a first attempt at sorting the malware/redirect problem and after going around in circles they suggested downloading google Chrome. I did this but have never been able to get it to work. The 404 's started at this point, but as I dont/cant use google, then that is why I very rarely get 404's.

    Here is a typical example of the redirects I get.
    Using Yahoo homepage i search for "The Damned" ( a UK Punk/rock band)
    Top of the search list is the Official Damned website.
    Click on this and ,as something is trying to load up, the tab on the page displays "strongbodys.net" for a couple of seconds then this dissapears and then I get a homepage for "u.lotteries.in".
    Lets go back to the Yahoo search results so I hit top left of screen blue "back" arrow.
    Im now back to Yahoo search results again. Click on the same Official Damned website and it takes me to "Forex.com". From here I cannot go backwards and have to close the tab.
    Start from the yahoo search results again and I get straight to the correct website.

    The sites I experience being redirected to are different every time and are usually trying to sell something or recruitment agencies asking to "sign up". The amount of times/attempt varies - sometimes with success and sometimes without.


    I have started working on your last reply but am unsure as to continue until contacting you again - this is why....
    I downloaded and saved Hijack This to my desktop. If i right click the HT icon on the desktop and select Extract All, I get Extraction Wizard, then click 'Next', I get "files will be extracted to this directory" -
    D:\Documents and Settings\Owner\Desktop\Hijack This.
    This is not drive "C" so that is why I am questioning the next move.

    Regards.
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    To set up the Directory for HijackThis:

    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder Hijackthis
    Exit Explorer

    Click on 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'> Select C Drive> C:\HijackThis> next> Check 'Show extracted files'> Finish

    Double click to run HijackThis.exe

    Now you have set up a Directory for just HJT. Sound like a lot f work, but isn't can be done in 1 step but I thought this would be easier.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.