TechSpot

Google Search - Diverted to numerous unwanted sites

By davidthesailor
Jul 25, 2010
  1. System description

    Windows XP Home Edition Service Pack 3 (build 2600) Dell Computer Corporation OptiPlex 170L , 2.80 gigahertz Intel Pentium 4, 16 kilobyte primary memory cache, 1024 kilobyte secondary memory cache.
    Conexant D850 56K V.9x DFVc Modem


    Intel(R) PRO/100 VE Network Connection
    primary Auto IP Address: 192.168.1.67 / 24
    Gateway: 192.168.1.254
    Dhcp Server: 192.168.1.254
    Physical Address: 00:13:20:19:B1:7A
    Juniper Network Connect Virtual Adapter
    Dhcp Server: 10.140.239.239
    Physical Address: 00:FF:30:8D:00:87

    Networking Dns Server: 192.168.1.254
    ESET Smart Security 4.2 Version 4.2

    Google is the default search tool. After coducting a google search and selecting the desired site if I double click to go to the site I am frequently (but naot always) diverted to another search site or advertising. Some look like genuine sites such as e bay but do not have the right feel. I can get to the desired site by copy and paste into thwe address bar.

    If I am diverted and then look at the dropdown arrow I see a Blank Line above the google search and below the site I have been diverted to. I think I have a case of a malware which has captured somwething on my settings. I have reset the default search page etc via the control pannel etc.

    Because I have to work with company databases I am forced to remain on IE6 and XP so the option to get more protection from IE8 or another browser does not exist.
    I ran the 8 steps. The GMER scan failed 2 times and was re run, each time I got the blue DOS warning screen, finally completed the scan after 6 hours. Down loaded and ran the DDS scan several times but did not get th anticipated results - have not attached the file as it appeared too big - (see below). I did not get the dialogue box or the 2 files mentioned in the text and it was a complete jumble of symbols - one readable line said - cannot be run in DOS mode - I was noyt in DOS mode at the time. Got same results whether connected to internet or not and when real time control was off or on. Trying to uplaod the DDS file I got the fo;;owing warning - ddsoutput.txt:
    Your file of 513.5 KB bytes exceeds the forum's limit of 200.0 KB for this filetype. 'ddsoutput.txt: Your file of 513.5 KB bytes exceeds the forum's limit of 200.0 KB for this filetype. ' I cna send this as a txt attachment if necessary but am concerned it may be corrupted so have not included it in this post.

    Thank you for your support and appologies for not being able to complete all the steps with DDs

    Othrewise all MS and programme files are up to date according to MS
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

  3. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Thank you for your fast response I have uplaoded the file as requested file name ddsoutput, sorry I could have been more specific hope you casn trace it

    David
     
  4. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    You didn't post any link to download it.
     
  5. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    http://www.uploadmb.com/dw.php?id=1280160853; <A HREF='http://www.uploadmb.com/dw.php?id=1280160853'>ddsoutput.txt</A>;
    ddsoutput.txt

    I have uploaded it again and these were the Down load codes at the bottom of the page. Aplologies for the inconvenience I have never done this before but of course I now realise that this is the only way you could find the file.
    David
     
  6. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    All I got in downloaded file is a gibberish.
    We'll work around it.

    ======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

    =======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Yes I thought the dds file was a load of rubbish it clearly did not produce the expected result when the progamme ran

    Here are the contents of the OLT and Extras files to follow
    Edit >. select all> Edit Copt and paste _. Pasted the OLT file and got the following message "The text that you have entered is too long (55517 characters). Please shorten it to 20000 characters long."
    here is Extras file. Similar error message -"The text that you have entered is too long (25798 characters). Please shorten it to 20000 characters long""".

    I have gone to 'advanced 'section and uploaded the 2 text files, hope this was the right thing to do?

    http://www.techspot.com/vb/attachment.php?attachmentid=63889&stc=1&d=1280251410

    http://www.techspot.com/vb/attachment.php?attachmentid=63890&stc=1&d=1280251499
    Tank you for patience and help
    David
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    ...and Combofix...
     
  9. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Here it is I was doing one step at a time so that if the unexpected happened I could re trace my steps
    David
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    How is redirection?

    Combofix removed a lot of files and I suspect, some of them may be false positive.
    Please, open Combofix log, which you attached with your last reply and look at 1st section "Other Deletions".
    Do you recognize any of those files?
     
  11. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Thank you, and good morning
    I recognise almost all the file titles but not the location all my document and working files are (should be on the D drive not the c drive as this seems to show. I do not recognise the web/web** bit of the file name on any of the files but that I suspect that is part of the analysiis process.

    I have attached a list of files with names do not recognise
    David
     

    Attached Files:

  12. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Broni,
    Thank you for all your help so far.Noting the time differences I would not expect to hear from you until much later today - Evening time in UK.

    I will check the mail tonight however I depart for a business trip tomorrow morning until wednesday next week so will not pick up any instructions or advice for a week. Please bear with me if you do not get a reply after tonight. I will check mail this evening.
    Thanks again
    David
     
  13. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    I have been working fairly constantly and conducted a number of searches via Google during the day amnd am very pleased that not once have I been diverted to an unexpected site.
    David
     
  14. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Very well then :)
    I just wanted to make sure, I'm not deleting some important files of yours...

    I'm also glad to see, that redirection is gone :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    DirLook::
    c:\documents and settings\Ewing Consultants\Application Data\Oksyta
    c:\documents and settings\Ewing Consultants\Application Data\Ubve
    c:\documents and settings\Ewing Consultants\Application Data\Xoree
    c:\documents and settings\Ewing Consultants\Application Data\Mycuor
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  15. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    All done, it is now after 2300 hrs here and I depart foe a flight at 0500 so I will not be able to progress this further until my return next Wednesday - but we seem to be making progress. Thank you here is the Combofix log

    ComboFix 10-07-27.05 - Ewing Consultants 28/07/2010 22:52:22.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.476 [GMT 1:00]
    Running from: c:\documents and settings\Ewing Consultants\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Ewing Consultants\Desktop\CFScript.txt
    AV: ESET Smart Security 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
    .

    2010-07-25 10:57 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-25 10:57 . 2010-07-25 10:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-25 10:57 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-14 06:57 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-14 18:47 . 2006-03-08 09:19 -------- d-----w- c:\program files\QuickTime
    2010-06-30 16:28 . 2009-05-16 14:17 -------- d-----w- c:\documents and settings\Ewing Consultants\Application Data\Oksyta
    2010-06-30 16:14 . 2007-12-08 15:32 -------- d-----w- c:\documents and settings\Ewing Consultants\Application Data\Ubve
    2010-06-28 14:33 . 2005-03-21 21:48 702464 ----a-w- c:\program files\ms money Nov 09.mny
    2010-06-14 14:31 . 2004-08-10 13:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-11 19:47 . 2010-03-31 21:58 -------- d-----w- c:\documents and settings\Ewing Consultants\Application Data\Xoree
    2010-06-11 19:45 . 2007-07-16 17:53 -------- d-----w- c:\documents and settings\Ewing Consultants\Application Data\Mycuor
    2010-06-04 15:46 . 2009-09-29 09:23 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-02 14:43 . 2009-12-02 11:33 -------- d-----w- c:\documents and settings\Ewing Consultants\Application Data\HpUpdate
    2010-05-10 13:35 . 2010-05-10 13:35 161632 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
    2010-05-10 13:34 . 2010-05-10 13:34 823928 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Juniper Networks\Host Checker\AVManagerUnified.dll
    2010-05-10 13:34 . 2010-05-10 13:34 291696 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
    2010-05-10 13:33 . 2010-05-10 13:33 36948 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Juniper Networks\setup\uninstall.exe
    2010-05-02 05:22 . 2004-08-10 12:51 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-02-28 12:30 . 2010-02-28 12:30 2169915 ----a-w- c:\program files\ImgBurn_2.5.0.0.exe
    2009-09-07 16:21 . 2009-09-07 16:21 1648478 ----a-w- c:\program files\FileManager.exe
    2007-10-04 07:10 . 2007-10-04 07:10 12531691 -c--a-w- c:\program files\Kd50e.exe
    2006-06-20 17:16 . 2006-06-20 17:16 774144 -c--a-w- c:\program files\RngInterstitial.dll
    2005-07-04 14:00 . 2000-10-16 12:30 217088 -c--a-w- c:\program files\SpaceMonger.exe
    2005-04-08 11:11 . 2005-04-08 10:53 121558528 -c--a-w- c:\program files\AcTR7EFG.exe
    2005-03-21 19:52 . 2005-03-21 19:52 272384 -c--a-w- c:\program files\SAMPLE.MNY
    2005-03-21 19:52 . 2005-03-21 19:52 4320768 ----a-w- c:\program files\MSMONEY.EXE
    2005-03-21 19:52 . 2005-03-21 19:52 14253 -c--a-w- c:\program files\README.TXT
    2004-08-04 05:00 . 2004-08-10 12:51 94784 -csh--w- c:\windows\twain.dll
    2008-04-14 00:12 . 2004-08-10 12:51 50688 --sh--w- c:\windows\twain_32.dll
    2007-05-29 14:11 . 1602-07-12 21:55 1031 -csh--w- c:\windows\system\ws32ntfl.dat
    2002-04-16 10:27 . 2002-04-16 10:27 5 -csha-w- c:\windows\system32\CdI5T.drv
    1998-03-20 00:00 . 1998-03-20 00:00 1048 -csha-w- c:\windows\system32\flfnlf.sys
    2008-04-14 00:11 . 2004-08-10 12:51 1028096 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12 . 2004-08-10 12:51 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12 . 2004-08-10 12:51 11776 --sh--w- c:\windows\system32\regsvr32.exe
    2010-02-09 15:46 . 2010-02-09 15:46 88576 --sha-r- c:\windows\system32\shdocvwp.dll
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\documents and settings\Ewing Consultants\Application Data\Mycuor ----


    ---- Directory of c:\documents and settings\Ewing Consultants\Application Data\Oksyta ----

    2010-06-30 16:28 . 2010-06-30 16:28 3024 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Oksyta\ufzuf.aru

    ---- Directory of c:\documents and settings\Ewing Consultants\Application Data\Ubve ----


    ---- Directory of c:\documents and settings\Ewing Consultants\Application Data\Xoree ----

    2010-06-11 19:48 . 2010-06-11 19:55 1720 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Xoree\dicu.iqy


    ((((((((((((((((((((((((((((( SnapShot@2010-07-27_18.05.12 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-07-28 21:40 . 2010-07-28 21:40 16384 c:\windows\temp\Perflib_Perfdata_d0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-19 196608]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-03-24 2145000]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-07-14 417792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [09/04/2009 15:18 114984]
    R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [02/10/2007 17:00 24786]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [24/03/2010 20:31 810120]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/01/2010 10:04 135664]
    S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [17/08/2001 12:11 20160]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 11:58 11336]
    S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\drivers\eusk3usb.sys [02/10/2007 17:00 45534]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-14 09:04]

    2010-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-14 09:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Trusted Zone: motive.com\pbttbc.bt
    Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
    Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ras-uk.ihs.com/dana-cached/sc/JuniperSetupClient.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-28 22:58
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-3000975372-3708929796-4007856590-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2900)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-07-28 23:01:43
    ComboFix-quarantined-files.txt 2010-07-28 22:01
    ComboFix2.txt 2010-07-27 18:08

    Pre-Run: 7,436,615,680 bytes free
    Post-Run: 7,420,194,816 bytes free

    - - End Of File - - 6137A28B1506A2371E68DC04746BB343
     
  16. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Things look pretty good :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\documents and settings\Ewing Consultants\Application Data\Mycuor
    c:\documents and settings\Ewing Consultants\Application Data\Ubve
    c:\documents and settings\Ewing Consultants\Application Data\Xoree
    c:\documents and settings\Ewing Consultants\Application Data\Oksyta
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt


    Have a safe trip :)
     
  17. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Have run this and here are the next set of results - back next Wednesdat
    Thank you
    Davidi
    ComboFix 10-07-28.01 - Ewing Consultants 29/07/2010 8:38.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.562 [GMT 1:00]
    Running from: c:\documents and settings\Ewing Consultants\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Ewing Consultants\Desktop\CFScript.txt
    AV: ESET Smart Security 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Ewing Consultants\Application Data\Mycuor
    c:\documents and settings\Ewing Consultants\Application Data\Oksyta
    c:\documents and settings\Ewing Consultants\Application Data\Oksyta\ufzuf.aru
    c:\documents and settings\Ewing Consultants\Application Data\Ubve
    c:\documents and settings\Ewing Consultants\Application Data\Xoree
    c:\documents and settings\Ewing Consultants\Application Data\Xoree\dicu.iqy

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
    .

    2010-07-25 10:57 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-25 10:57 . 2010-07-25 10:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-25 10:57 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-14 06:57 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-14 18:47 . 2006-03-08 09:19 -------- d-----w- c:\program files\QuickTime
    2010-06-28 14:33 . 2005-03-21 21:48 702464 ----a-w- c:\program files\ms money Nov 09.mny
    2010-06-14 14:31 . 2004-08-10 13:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-04 15:46 . 2009-09-29 09:23 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-02 14:43 . 2009-12-02 11:33 -------- d-----w- c:\documents and settings\Ewing Consultants\Application Data\HpUpdate
    2010-05-10 13:35 . 2010-05-10 13:35 161632 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
    2010-05-10 13:34 . 2010-05-10 13:34 823928 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Juniper Networks\Host Checker\AVManagerUnified.dll
    2010-05-10 13:34 . 2010-05-10 13:34 291696 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
    2010-05-10 13:33 . 2010-05-10 13:33 36948 ----a-w- c:\documents and settings\Ewing Consultants\Application Data\Juniper Networks\setup\uninstall.exe
    2010-05-02 05:22 . 2004-08-10 12:51 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-02-28 12:30 . 2010-02-28 12:30 2169915 ----a-w- c:\program files\ImgBurn_2.5.0.0.exe
    2009-09-07 16:21 . 2009-09-07 16:21 1648478 ----a-w- c:\program files\FileManager.exe
    2007-10-04 07:10 . 2007-10-04 07:10 12531691 -c--a-w- c:\program files\Kd50e.exe
    2006-06-20 17:16 . 2006-06-20 17:16 774144 -c--a-w- c:\program files\RngInterstitial.dll
    2005-07-04 14:00 . 2000-10-16 12:30 217088 -c--a-w- c:\program files\SpaceMonger.exe
    2005-04-08 11:11 . 2005-04-08 10:53 121558528 -c--a-w- c:\program files\AcTR7EFG.exe
    2005-03-21 19:52 . 2005-03-21 19:52 272384 -c--a-w- c:\program files\SAMPLE.MNY
    2005-03-21 19:52 . 2005-03-21 19:52 4320768 ----a-w- c:\program files\MSMONEY.EXE
    2005-03-21 19:52 . 2005-03-21 19:52 14253 -c--a-w- c:\program files\README.TXT
    2004-08-04 05:00 . 2004-08-10 12:51 94784 -csh--w- c:\windows\twain.dll
    2008-04-14 00:12 . 2004-08-10 12:51 50688 --sh--w- c:\windows\twain_32.dll
    2007-05-29 14:11 . 1602-07-12 21:55 1031 -csh--w- c:\windows\system\ws32ntfl.dat
    2002-04-16 10:27 . 2002-04-16 10:27 5 -csha-w- c:\windows\system32\CdI5T.drv
    1998-03-20 00:00 . 1998-03-20 00:00 1048 -csha-w- c:\windows\system32\flfnlf.sys
    2008-04-14 00:11 . 2004-08-10 12:51 1028096 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12 . 2004-08-10 12:51 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12 . 2004-08-10 12:51 11776 --sh--w- c:\windows\system32\regsvr32.exe
    2010-02-09 15:46 . 2010-02-09 15:46 88576 --sha-r- c:\windows\system32\shdocvwp.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-27_18.05.12 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-07-29 07:29 . 2010-07-29 07:29 16384 c:\windows\temp\Perflib_Perfdata_100.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-19 196608]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-03-24 2145000]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-07-14 417792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [09/04/2009 15:18 114984]
    R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [02/10/2007 17:00 24786]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [24/03/2010 20:31 810120]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/01/2010 10:04 135664]
    S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [17/08/2001 12:11 20160]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 11:58 11336]
    S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\drivers\eusk3usb.sys [02/10/2007 17:00 45534]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-14 09:04]

    2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-14 09:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Trusted Zone: motive.com\pbttbc.bt
    Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
    Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ras-uk.ihs.com/dana-cached/sc/JuniperSetupClient.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-29 08:45
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-3000975372-3708929796-4007856590-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2010-07-29 08:48:12
    ComboFix-quarantined-files.txt 2010-07-29 07:48
    ComboFix2.txt 2010-07-28 22:01
    ComboFix3.txt 2010-07-27 18:08

    Pre-Run: 7,363,092,480 bytes free
    Post-Run: 7,345,860,608 bytes free

    - - End Of File - - ADF2A6D4C9D04AC9262574C3810BB6D0
     
  18. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Cool :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  19. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Good evening, back early and getting to grips with the next stage.
    Have uninstalled Combofix, it seemed to want to have the virus checker swithed off - do I disabled real time monitorin - Hope that is OK.

    Downloaded OLT copy and paste your text and ran quick scan result below for OLT Txt

    Message "The text that you have entered is too long (54041 characters). Please shorten it to 20000 characters long." I have attached the file

    I can not see any other OLT files - I will run the scan again and forward result in new message

    PS All the Favourite shortcuts in Google seem to have been disabled - I presume this is a result of what we are doing now - will/can they be recovered at the end of the process or do i start to rebuild the list afresh? They worked fine before I ran the programme on Thursday last week
    David
     

    Attached Files:

    • OTL.Txt
      File size:
      104.8 KB
      Views:
      2
  20. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    It happens sometimes with OTL, that it'll not produce 2nd log. No worries.
    As for favorites, I'm not sure. It may be post-infection effect.
    We didn't touch them.
    Anyone said "backup"? :)

    =======================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - No CLSID value found.
      O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\play2p.lnk = C:\Program Files\play2p\play2p.exe File not found
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2007/05/23 16:45:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
      [2008/10/20 13:14:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vqlctqxs
      [2007/05/21 19:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ZILLAbar
      [2006/05/22 17:41:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ewing Consultants\Application Data\Registry Booster
      [2006/08/24 12:19:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ewing Consultants\Application Data\Registry Cleaner
      [2010/02/25 09:48:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ewing Consultants\Application Data\Uniblue
      @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2F2F703
      @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  21. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Java updated from V6 update 14 to V6 update 21
    Processes completed here is the OTL Run Fixes Result - Idid not and was not prompted to disable real time protection - was this right?
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F2CF5485-4E02-4F68-819C-B92DE9277049} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2CF5485-4E02-4F68-819C-B92DE9277049}\ not found.
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\play2p.lnk moved successfully.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\WINDOWS\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    C:\Documents and Settings\All Users\Application Data\STOPzilla!\Quarantine folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\STOPzilla! folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\vqlctqxs folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\ZILLAbar folder moved successfully.
    C:\Documents and Settings\Ewing Consultants\Application Data\Registry Booster folder moved successfully.
    C:\Documents and Settings\Ewing Consultants\Application Data\Registry Cleaner\Backups folder moved successfully.
    C:\Documents and Settings\Ewing Consultants\Application Data\Registry Cleaner folder moved successfully.
    C:\Documents and Settings\Ewing Consultants\Application Data\Uniblue\Registry Booster2 folder moved successfully.
    C:\Documents and Settings\Ewing Consultants\Application Data\Uniblue folder moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:D2F2F703 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
    ========== SERVICES/DRIVERS ==========

    OTL by OldTimer - Version 3.2.9.1 log created on 08042010_081656
    Quick Scan result to follow
    David
     
  22. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Here is the OTL report attached.

    Thanks David
     

    Attached Files:

    • OTL.Txt
      File size:
      80 KB
      Views:
      1
  23. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Very good :)

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  24. davidthesailor

    davidthesailor TS Rookie Topic Starter Posts: 21

    Security Check and TFC run, here is repoort

    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 3
    Internet Explorer 6 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    ESET Smart Security
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    HijackThis 2.0.2
    CCleaner
    Java(TM) 6 Update 21
    Adobe Flash Player
    Adobe Reader 9.3.3
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````

    I have to run IE 6 for the business connections otherwise I would use another browser.

    You commented on Backup earlier. I did not back up at the time of the problem in case I made things worse. Once we are completed can I go back to a restore point and get the web addresses for the IE links or will this reintroduce the problem?

    Having difficulty getting Kaspersky to down load

    Having difficulty getting Kaspersky files to down load, I get to the site no prob;em butthe programme will not strat to down load. I am connected to the intrnet (broadband) and can not see how to launch the Java Application
    Kapesky warning message reads
    "Launch of the Java Application is interupted. Please establish an uninterupted Internet connection for work with this program" Can you give more guidance please
    David
     
  25. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Unfortunately, we'll have to reset restore points, in case some of them are infected. We don't want your computer to be reinfected.

    Instead of Kaspersky...

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • IMPORTANT! UN-check Remove found threats
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...