Help! Redirecting virus

Inactive
By anubis202
Jun 16, 2010
Topic Status:
Not open for further replies.
  1. Hello, recently I found that almost all of my google searches are being redirected to advertisement sites. The website it redirects to is "adwords.onlinesecuregroup..." It seems to affect both google and yahoo searches but I haven't tried any others.

    I have tried many of the free antivirus tools but none have cured it. I completed the 8 preliminary steps and my results are posted.

    I had some trouble with the gmer program- the first time I ran it, I got the "blue screen of death" so i tried it again with "devices" un-checked and it crashed again. I ran it in safe mode but only one item came up during the scan, compared to many that came up on the failed scans.

    After I finished the 8 steps, I tried to log on to this forum to post and the webpage would state that I had sucessfully logged on, but I still wouldn't be able to post. I logged onto my guest account and it worked here. I also tested google to see if the redirect is affecting this username too but it doesnt seem like it is.

    I would greatly appreciate any help with this!

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Okay, we need to dig deeper. I will ask you to uninstall Hitman Pro. IT is just a bundle of programs that you can get free on the internet. Most are being used without the permission of the authors Go ahead and uninstall; and I'll remove remaining entries.

    You also have processes running for multiple antivirus programs: Symantec Live Update, Avira and AVG Keep one, remove the others.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =========================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave these logs in your next reply.
  3. anubis202

    anubis202 Newcomer, in training Topic Starter

    Thanks for the reply Bobbye. I was unable to find hitman pro, symantec, or avg under the add/remove programs list, so I did a search on my computer and deleted the files for these programs.

    Here are my logs.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    I'll remove any left over entries for the programs that show up in Combofix. While I'm setting that up, go ahead and handle this entry from Eset:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Documents and Settings\Chris\My Documents\FruityLoops Studio 8.0 XXL Edition\flstudio_8.0_install.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    You've got a nasty Rootkit in the MBR. Sometimes it's tough to remove, but this usually does the job:

    Please print the instructions below for this program. You will not have access to the directions once you have started

    Please download HelpAsst mebroot fix.exe by noahdefrea and save to your desktop
    • Close out all other open programs and windows.
    • Double-click on it to run the tool and follow any prompts.
    • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
    • Upon restarting, please wait about 5 minutes, go to > Run..., and in the Open dialog box, type: helpasst -mbrt
      Make sure you leave a space between helpasst -mbrt.
    • Click OK or press Enter.
    • HelpAsst fix will create and open a log when done.
    • Copy and paste the contents of that log into your next reply.
    In the event the tool does not detect an mbr infection and completes, do this:
    • Go to > Run> in the Open dialog box type: mbr -f
    • Click OK or press Enter.
    • Now, please do the Start > Run > mbr -f command a second time.
    • Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
    • After restart go to > Run> in the Open dialog box, type: helpasst -mbrt
      Make sure you leave a space between helpasst and -mbrt.
    • Click OK or press Enter.
    • HelpAsst fix will create and open a log when done.
    • Copy and paste the contents of that log into your next reply.

    -- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
    Source: BleepingComputer.
    ========================================
    You have a large number of ports open in the firewall, including one for Remote Desktop. Did you do this intentionally?
  6. anubis202

    anubis202 Newcomer, in training Topic Starter

    Here's the contents of my OTM log:

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\Chris\My Documents\FruityLoops Studio 8.0 XXL Edition\flstudio_8.0_install.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Anita Collier

    User: Chris
    ->Temp folder emptied: 36650 bytes
    ->Temporary Internet Files folder emptied: 17285467 bytes
    ->Java cache emptied: 3879 bytes
    ->Flash cache emptied: 768 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Guest
    ->Temp folder emptied: 3186 bytes
    ->Temporary Internet Files folder emptied: 6651771 bytes
    ->Flash cache emptied: 716 bytes

    User: HelpAssistant
    ->Temp folder emptied: 1276244 bytes
    ->Temporary Internet Files folder emptied: 14674678 bytes
    ->Java cache emptied: 3879 bytes
    ->Flash cache emptied: 801 bytes

    User: HelpAssistant.ANITACOLLIER
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Owner

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 305356 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 38.00 mb


    OTM by OldTimer - Version 3.1.12.2 log created on 06182010_013033

    Files moved on Reboot...
    C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\N0EES2SX\ads[1].txt moved successfully.
    C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\N0EES2SX\sh19[1].html moved successfully.
    C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\N0EES2SX\topic148612[4].html moved successfully.
    C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\80L9XHU3\01[2].htm moved successfully.
    C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\2OWV9OT0\ads[1].htm moved successfully.
    C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\2MFSPHBB\ads[2].htm moved successfully.
    C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\2MFSPHBB\ads[3].htm moved successfully.
    C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.
    File move failed. C:\WINDOWS\temp\$$$dq3e scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\temp\$67we.$ scheduled to be moved on reboot.
    File C:\WINDOWS\temp\Perflib_Perfdata_d8.dat not found!

    Registry entries deleted on Reboot...



    The HelpAsst mebroot fix.exe link seems to be broken- i get the "404 Not Found" page when i click it.
    Would you recommend backing my files before the mbr fix?

    Also, the ports were probably opened by my brother for certain video games, but I was wondering how I would go about closing them?

    Thanks!
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

  8. anubis202

    anubis202 Newcomer, in training Topic Starter

    These are the contents of my Help Asst log:


    C:\Documents and Settings\Chris\Desktop\HelpAsst_mebroot_fix.exe
    Tue 06/22/2010 at 23:10:14.04

    HelpAssistant account is Active ~ attempting to de-activate

    Account active Yes
    Local Group Memberships *Administrators

    HelpAssistant successfully set Inactive

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll present! ~ attempting to remove
    Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

    ~~ Checking firewall ports ~~

    backing up DomainProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "7804:TCP"=-
    "7805:TCP"=-
    "3389:TCP"=-
    "1974:TCP"=-
    "2448:TCP"=-
    "8912:TCP"=-
    "8911:TCP"=-
    "8507:TCP"=-
    "8506:TCP"=-
    "7943:TCP"=-
    "7944:TCP"=-
    "5349:TCP"=-
    "9198:TCP"=-

    backing up StandardProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "7804:TCP"=-
    "7805:TCP"=-
    "3389:TCP"=-
    "1974:TCP"=-
    "2448:TCP"=-
    "8912:TCP"=-
    "8911:TCP"=-
    "8507:TCP"=-
    "8506:TCP"=-
    "7943:TCP"=-
    "7944:TCP"=-
    "5349:TCP"=-
    "9198:TCP"=-

    ~~ Checking profile list ~~

    HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2973937239-1337085887-2461794318-1008
    HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
    ~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

    ~~ Checking mbr ~~

    user & kernel MBR OK

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Tue 06/22/2010 at 23:41:00.75

    Account active No
    Local Group Memberships

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xFF5BC78A]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

    ~~ Checking profile list ~~

    No HelpAssistant profile in registry

    ~~ Checking for HelpAssistant directories ~~

    HelpAssistant.ANITACOLLIER

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "9198:TCP"=9198:TCP:*:Enabled:Services
    "5349:TCP"=5349:TCP:*:Enabled:Services

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "9198:TCP"=9198:TCP:*:Enabled:Services
    "5349:TCP"=5349:TCP:*:Enabled:Services


    ~~ EOF ~~

    I have the basic windows firewall on along with avira- if it's even considered a firewall.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Sorry for delay- I'm trying to catch up. Looks like you licked Help Assistant!

    Will you please run a new Combofix scan? Then I can get all the script entries together.

    Follow with
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    Have the redirects improved?
  10. anubis202

    anubis202 Newcomer, in training Topic Starter

    My combofix log is attached and here are the contents of the HJT log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:10:04 PM, on 6/26/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: Solid State Networks IE Browser Plugin - {BD08A9D5-0E5C-4f42-99A3-C0CB5E860557} - C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\solidax.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1221543037687
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.playwhat.com/solidPlugin/solidstateion.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
    O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
    O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

    --
    End of file - 10039 bytes


    The redirects have definately improved, I haven't been able to get either yahoo or google search to redirect again. However, when I open an internet page it still takes quite some time to load. I'm not sure what this is from, maybe it's just my internet connection.

    Thanks for the help!

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Please run this script first:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Viewpoint\Common\ViewpointService.exe
    
    Folder::
    c:\documents and settings\HelpAssistant\PrivacIE
    c:\documents and settings\HelpAssistant\IETldCache
    c:\documents and settings\HelpAssistant\IECompatCache
    C:\HelpAsst_backup
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\documents and settings\HelpAssistant.ANITACOLLIER
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Viewpoint Manager Service"= -
    
    Driver::
    Viewpoint Manager Service
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Reboot the computer, then run the following:
    Download Dr.Web CureIt! and save it to your desktop.

    • [1] Double click to Run the utility and press the "Start" button in the opened window.
      [2] Confirm the launch by pressing the "OK" button and wait for the scanning results of the main memory and startup files. (this is express scan)
      [3] Click on the Green Arrow to the right to Select the Complete scan
      [4] When being scanned, infected files are cured, incurable files are moved to the quarantine directory.Answer Yes if asked to move or cure a file.
      [5] When the scanning is finished, save the report to your desktop: it is named DrWeb.csv.
    Close the program.
    Reboot the computer: this is important to complete the moves or deletions.
    Copy the DrWeb.cvs report to Notepad, then paste it in your next reply.

    Both logs in next reply please.
  12. anubis202

    anubis202 Newcomer, in training Topic Starter

    Bobbye,
    Sorry I've been busy the past couple of weeks, but I ran combofix and found that the log is over 900KB. I tried to paste it in a reply and this is the message I got.

    The text that you have entered is too long (923201 characters). Please shorten it to 20000 characters long.
    This would take far too long to post, so is there another way I can send it to you?

    I ran DrWeb and got this in the log:
    Av-test.txt;C:\Documents and Settings\HelpAssistant\Local Settings\Temp;EICAR Test File (NOT a Virus!);Incurable.Moved.;

    After the DrWeb scan I noticed that the redirecting is happening again and I've noticed a few other problems. When i closed internet explorer, I could hear music playing through my speakers which is odd because I didn't have any audio programs running. I opened up task manager and found that there were 5+ iexplorer.exe processes running. I ended them all and ran a scan with avira but it found no virus. Also, when logging into facebook, internet explorer comes up with a pop up saying its entering a secure connection then another claiming it is leaving the secure connection. I'm not worried about my privacy on this website so I could care less if my password is retrieved by the virus, but this hasn't happened before.
    Sorry for the novel of a post. Hope you can help me further.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Please run a new Combofix scan. If necessary, split the logs over 2-3 posts. Be sure to check this in Notepad: Click on Format> uncheck Word Wrap.

    As for Dr. Web, I need to see the log. Log directions:
    [5] When the scanning is finished, save the report to your desktop: it is named DrWeb.csv.[/list]
    Close the program.
    Reboot the computer: this is important to complete the moves or deletions.
    Copy the DrWeb.cvs report to Notepad, then paste it in your next reply.
     
  14. anubis202

    anubis202 Newcomer, in training Topic Starter

    ComboFix 10-07-23.02 - Chris 07/23/2010 18:22:56.6.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.362 [GMT -7:00]
    Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
    .

    2010-07-24 01:04 . 2010-07-24 01:04 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple
    2010-07-24 01:04 . 2010-07-24 01:04 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Last.fm
    2010-07-15 23:45 . 2010-07-16 06:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-15 20:44 . 2010-07-17 02:16 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
    2010-07-14 20:56 . 2010-07-14 20:56 -------- d-----w- c:\documents and settings\Chris\DoctorWeb
    2010-07-14 09:33 . 2010-07-14 09:33 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
    2010-07-14 09:17 . 2010-07-14 09:17 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
    2010-07-14 09:17 . 2010-07-14 09:17 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
    2010-07-14 01:33 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-26 21:08 . 2010-06-26 21:08 -------- d-----w- c:\program files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-24 01:04 . 2010-06-16 21:23 -------- d-----w- c:\documents and settings\Guest\Application Data\Apple Computer
    2010-07-17 19:58 . 2009-01-17 00:54 -------- d-----w- c:\documents and settings\Chris\Application Data\StumbleUpon
    2010-06-26 21:08 . 2010-06-26 21:08 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-06-17 22:42 . 2010-06-17 22:42 -------- d-----w- c:\documents and settings\Guest\Application Data\Avira
    2010-06-17 00:41 . 2010-06-17 00:41 -------- d-----w- c:\documents and settings\Chris\Application Data\Avira
    2010-06-17 00:40 . 2010-06-17 00:40 -------- d-----w- c:\program files\ESET
    2010-06-16 21:24 . 2010-06-16 21:20 75808 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-16 05:30 . 2008-09-19 21:33 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-16 05:24 . 2004-08-23 15:26 -------- d-----w- c:\program files\Jasc Software Inc
    2010-06-16 05:23 . 2004-08-23 15:15 -------- d-----w- c:\program files\Java
    2010-06-16 05:23 . 2004-08-23 15:15 -------- d-----w- c:\program files\Common Files\Java
    2010-06-14 14:31 . 2002-08-29 10:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-12 02:13 . 2008-10-08 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-11 23:13 . 2010-06-11 23:13 503808 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5846f26b-n\msvcp71.dll
    2010-06-11 23:13 . 2010-06-11 23:13 61440 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-25edda93-n\decora-sse.dll
    2010-06-11 23:13 . 2010-06-11 23:13 499712 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5846f26b-n\jmc.dll
    2010-06-11 23:13 . 2010-06-11 23:13 348160 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5846f26b-n\msvcr71.dll
    2010-06-11 23:13 . 2010-06-11 23:13 12800 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-25edda93-n\decora-d3d.dll
    2010-06-11 22:42 . 2010-06-11 22:42 -------- d-----w- c:\program files\Avira
    2010-06-11 22:42 . 2010-06-11 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-06-11 22:17 . 2009-02-23 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-06-11 18:28 . 2010-01-18 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-06-11 17:29 . 2010-06-11 17:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-06-11 07:46 . 2010-06-10 20:06 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-06-11 02:40 . 2010-06-10 20:06 63488 ----a-w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-06-11 02:40 . 2010-06-10 20:06 117760 ----a-w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-06-11 02:27 . 2010-06-11 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-06-11 02:27 . 2009-08-15 22:59 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-10 20:06 . 2010-06-10 20:06 52224 ----a-w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-06-10 20:06 . 2010-06-10 20:06 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
    2010-05-06 10:41 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-03 23:03 . 2010-05-03 23:03 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
    2010-05-02 05:22 . 2003-07-15 21:01 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 22:39 . 2008-12-12 05:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 22:39 . 2008-12-12 05:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-06-16_23.41.18 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-07-24 01:21 . 2010-07-24 01:21 16384 c:\windows\Temp\Perflib_Perfdata_2c0.dat
    + 2010-07-24 01:21 . 2010-07-24 01:21 16384 c:\windows\Temp\Perflib_Perfdata_120.dat
    + 2004-08-23 15:27 . 2010-07-14 15:03 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
    + 2004-08-23 15:27 . 2010-07-14 15:03 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    + 2004-08-23 15:27 . 2010-07-14 15:03 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    + 2004-08-23 15:27 . 2010-07-14 15:03 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    + 2004-08-23 15:27 . 2010-07-14 15:03 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    + 2004-08-23 15:27 . 2010-07-14 15:03 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2010-07-14 03:15 . 2010-07-14 03:15 231888 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10h_ActiveX.exe
    + 2010-07-14 03:15 . 2010-07-14 03:15 311760 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10h_ActiveX.dll
    + 2004-08-23 15:27 . 2010-07-14 15:03 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    + 2004-08-23 15:27 . 2010-07-14 15:03 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    + 2004-08-23 15:27 . 2010-07-14 15:03 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2004-08-23 15:27 . 2010-07-14 15:03 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2004-08-23 15:27 . 2010-07-14 15:03 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
    - 2004-08-23 15:27 . 2010-06-12 02:16 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2010-06-26 21:08 . 2010-06-26 21:08 1094656 c:\windows\Installer\a54f8.msi
    + 2010-05-25 18:45 . 2010-05-25 18:45 8445440 c:\windows\Installer\221ddd8.msp
    + 2010-07-01 05:52 . 2010-07-01 05:52 5522944 c:\windows\Installer\221ddc4.msp
    + 2010-06-20 08:01 . 2010-06-20 08:01 8040960 c:\windows\Installer\1f57e08.msp
    + 2008-09-16 05:19 . 2010-07-02 19:39 34045896 c:\windows\SYSTEM32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-26 335872]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
    "DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-09-16 03:03 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
  15. anubis202

    anubis202 Newcomer, in training Topic Starter

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
    2004-04-15 08:32 270336 -c--a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 20:39 1289000 ----a-w- c:\progra~1\MI3AA1~1\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2008-11-06 02:31 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "WANMiniportService"=2 (0x2)
    "usnjsvc"=3 (0x3)
    "MDM"=2 (0x2)
    "LexBceS"=2 (0x2)
    "GoToAssist"=3 (0x3)
    "AOL ACS"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "Game.exe"= Game.exe:GostSoul
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Documents and Settings\\Chris\\Desktop\\slsk.exe"=
    "c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "53785:TCP"= 53785:TCP:*:Disabled:SolidNetworkManager
    "53785:UDP"= 53785:UDP:*:Disabled:SolidNetworkManager
    "6112:TCP"= 6112:TCP:wc1
    "6112:UDP"= 6112:UDP:wc1a
    "6113:TCP"= 6113:TCP:wc2
    "6113:UDP"= 6113:UDP:wc2a
    "6114:TCP"= 6114:TCP:wc3
    "6114:UDP"= 6114:UDP:wc3a
    "6115:TCP"= 6115:TCP:wc4
    "6115:UDP"= 6115:UDP:wc4a
    "6116:TCP"= 6116:TCP:wc5
    "6116:UDP"= 6116:UDP:wc5a
    "6117:TCP"= 6117:TCP:wc6
    "6117:UDP"= 6117:UDP:wc6a
    "56602:TCP"= 56602:TCP:pando Media Booster
    "56602:UDP"= 56602:UDP:pando Media Booster
    "3389:TCP"= 3389:TCP:Remote Desktop
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "9198:TCP"= 9198:TCP:Services
    "5349:TCP"= 5349:TCP:Services
    "9193:TCP"= 9193:TCP:Services
    "9194:TCP"= 9194:TCP:Services
    "5396:TCP"= 5396:TCP:Services
    "9292:TCP"= 9292:TCP:Services
    "1802:TCP"= 1802:TCP:Services
    "2104:TCP"= 2104:TCP:Services

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/11/2010 3:42 PM 135336]
    S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [3/25/2010 1:21 PM 120232]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2008-09-17 c:\windows\Tasks\ISP signup reminder 1.job
    - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

    2010-07-24 c:\windows\Tasks\User_Feed_Synchronization-{61956E20-5A92-4FC3-8987-302D218FF8D5}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.cnn.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
    Trusted Zone: unr.edu\webct
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-23 18:32
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x????????????????????????:??????????????X???(???x???????X???x???x????????????????????????????????????????D?w????|???????7??w????x???x??????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0xFEE4978A]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf877bf28
    \Driver\ACPI -> ACPI.sys @ 0xf86eecb8
    \Driver\atapi -> atapi.sys @ 0xf86a6852
    \Driver\iaStor -> ntoskrnl.exe @ 0x805c3d35
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
    NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xfeeafb60
    PacketIndicateHandler -> NDIS.sys @ 0xf8524a21
    SendHandler -> NDIS.sys @ 0xf850287b
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(644)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
    .
    Completion time: 2010-07-23 18:37:39
    ComboFix-quarantined-files.txt 2010-07-24 01:37
    ComboFix2.txt 2010-07-14 09:31
    ComboFix3.txt 2010-06-25 20:31
    ComboFix4.txt 2010-06-16 23:44
    ComboFix5.txt 2010-07-24 01:15

    Pre-Run: 61,473,792,000 bytes free
    Post-Run: 61,584,732,160 bytes free

    - - End Of File - - A1EEDAFD83E35D8FCB626326C7AC265C
  16. anubis202

    anubis202 Newcomer, in training Topic Starter

    And here are the contents of the Dr. web log:

    Av-test.txt;C:\Documents and Settings\HelpAssistant\Local Settings\Temp;EICAR Test File (NOT a Virus!);Incurable.Moved.;
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Okay, we've been at this for over a month with lapses in between. It won't work to just drop a new log occasionally.

    Did the problems ever improve?
    What problems are you still having that are malware related?
    There are some entries in Combofix that need to be moved, but I'm not going to set that up until I know what's going on.

    There is also at large number of globally open ports. That means that any account on the system can pass through those ports. I don't know what they're for or why they're open.

    Has use of uTorrent continued in the last month?
  18. anubis202

    anubis202 Newcomer, in training Topic Starter

    Sorry about the time lapses.

    I hardly use this computer but when I have been its pretty much only to check this website, facebook, or news sites. The problems did improve but only for a short while. The adwords.onlinesecuregroup redirect started happening aggain to all of the searches on my main user account on this computer. On the guest account no redirects happen so I have been using this one more frequently.

    As for the ports, my brother used to play a game on here that required him to open the ports in order to host a match for other players. I don't know how he opened them, so are there any instructions you can post for me in order to close them?

    We haven't used uTorrent in probably 6 months.
  19. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Hi
    Bobbye is not present at the moment, due to some family matters, so I'll try to help you out.

    Can you post fresh Combofix log for me?
  20. anubis202

    anubis202 Newcomer, in training Topic Starter

    Hello Broni,
    Kind regards to Bobbye, I hope everything is alright.

    I noticed another problem. When I am typing it seems that every few words my computer won't register a letter that I'm sure I hit.

    The combofix log is attached.
    Thanks

    Attached Files:

  21. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Download and save HelpAsst_mebroot_fix.exe to your desktop.

    IMPORTANT! At this point, physically disconnect from the internet (unplug ethernet cable). Do NOT reconnect until I'll tell you to do so.

    • Close all open programs.
    • Double click HelpAsst_mebroot_fix.exe to run it.
    • Pay attention to the running tool.
    • If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
    • After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

      • helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.

    IMPORTANT!
    If the tool does NOT detect any mbr infection and completes, proceed with the following...

    • Click Start>Run and copy and paste the following command, then hit Enter:

      • mbr -f
    • Repeat the above step one more time
    • Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.
    • Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

      • helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.

    **Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
  22. anubis202

    anubis202 Newcomer, in training Topic Starter

    Ok I ran the helpasst but it didn't find an infection.
    The log is attached.

    Attached Files:

  23. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Are you still physically disconnected from the internet as I asked before?
  24. anubis202

    anubis202 Newcomer, in training Topic Starter

    Shoot I am conncted now, I had to reconnect to reply. Should I use another computer for intenet?
  25. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Yes, please.
    Disconnect this one and re-run HelpAsst_mebroot_fix.exe.

    Have USB flash drive ready, because we'll need it in a moment.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.