TechSpot

Intermittent browser redirect

By selkov
Feb 1, 2011
  1. When I boot my computer and open a browser, run a search on Google - Bing - what ever, right click on a link to open in a tab I get redirected to spam sites. No matter how many tabs I open they all go elsewhere. However if i close the browser, reopen it and rerun the same search with the same results and choose the same links I can now get to them just fine.

    All works ok unless I do not use the browser for like an hour then the scenario repeats.

    This happens in BOTH IE8 and Firefox 3.6.13.

    History: This started happening to my installation of Vista Ultimate. I ran every program I could think of : Vipre Anti Virus, Combo Fix, Malware Bytes, hijack this and several others.

    Although everything found something none of them corrected the issue. I installed Windows 7 Ultimate as an upgrade and the issue persisted. I wiped the installation and installed a clean install [Formatted the partition first] and copied back all my , links and favorites from an Acronis BU and the problem is still here.

    I think maybe the issue is attached to a Firefox addins as those were the only imported settings I can think of.

    Anyway I have 3 more PC's in the hose now that have the same problem.
    All have firefox installed.
    I think I would like to fix this issue rather than reload all the pc's.

    This started just after the last Firefox upgrade.
    Also some time you can see and open blank browser flash by that says "GoogleAnyalitics"


    Any help would be wonderful.
    -Eds
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot!
    [​IMG]
    (Image courtesy animationplayhouse.com)
    I'll help with the problem. But I need information to do it:

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    ============================================
    Once I see the logs, I'll be able to determine the cause of the redirects- hopefully. Since you are running 3 other PCs, if they are all connected to a router, I may have you reset the router, depending on what I see.

    I note that you have run several other cleaning programs, unsuccessfully. You have also upgraded to Vista, then Windows 7. You have reformatted and reinstalled. All of this tends to make the problem murky. So I would like you to uninstall as follows:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Also uninstall Malwarebytes and HijackThis. I want fresh, new logs reflecting on the current condition of the system after all the updates, upgrades and reformat.

    NOTE: If I determine that you should check all of the computers, I will ask you to start a new thread for each. Please don't do that yet- I can't work on your 4 systems at the same time and help others.
     
  3. selkov

    selkov TS Rookie Topic Starter

    Bobbye,
    Thanks for your help.
    Here are the logs.




    Step 1: Antivirus – installed Vipre Premium From Sunbelt-Software. Active and running.
    Step 2: TFC Run to completion.
    Step 3: Malware Log:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5655

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    2/1/2011 3:01:56 PM
    mbam-log-2011-02-01 (15-01-56).txt

    Scan type: Quick scan
    Objects scanned: 187847
    Time elapsed: 2 minute(s), 5 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    c:\Users\EDS\AppData\Local\temp\Rar$EX58.448\key gen.exe (Dont.Steal.Our.Software) -> 2076 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\EDS\AppData\Local\temp\Rar$EX58.448\key gen.exe (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.

    Step 4: GMER log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-01 15:06:30
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-5 WDC_WD1001FALS-00J7B1 rev.05.00K05
    Running: GMER imbg95fi.exe; Driver: C:\Users\EDS\AppData\Local\Temp\pgrdapow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
    AttachedDevice \Driver\tdx \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

    ---- EOF - GMER 1.0.15 ----

    Step 5: DDS

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by EDS at 15:10:07.53 on Tue 02/01/2011
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3325.2620 [GMT -5:00]

    AV: Sunbelt VIPRE *Enabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Sunbelt VIPRE *Enabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
    FW: Sunbelt VIPRE *Disabled* {86665057-352D-7810-313F-4F92DEFBC8FA}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\LSI SoftModem\agrsmsvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Program Files\RealVNC\VNC4\winvnc4.exe
    C:\Program Files\Acronis\DiskDirector\OSS\reinstall_svc.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\EDS\Desktop\New Folder\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uRun: [RealVNC_vncaddrbook] c:\program files\realvnc\vnc4\vncaddrbook.exe
    uRun: [Iconoid] "c:\program files\iconoid\Iconoid.exe"
    mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\users\eds\appdata\roaming\micros~1\windows\startm~1\programs\startup\hardcopy.lnk - c:\program files\hardcopy\hardcopy.exe
    StartupFolder: c:\users\eds\appdata\roaming\micros~1\windows\startm~1\programs\startup\pandora.lnk - c:\program files\pandora\Pandora.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    ================= FIREFOX ===================

    FF - ProfilePath -

    ============= SERVICES / DRIVERS ===============

    R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2011-1-22 220760]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
    R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2011-1-22 78936]
    R2 OS Selector;Acronis OS Selector activator;c:\program files\acronis\diskdirector\oss\reinstall_svc.exe [2010-5-25 2139400]
    R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-8-20 2763080]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-6-14 69976]
    R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-8-20 181584]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-10-27 6573568]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-10-27 229888]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
    R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2011-1-22 68696]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 176128]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-1-23 16472]
    S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-1-23 11104]
    S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2011-1-22 68696]
    S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2011-1-22 94040]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-20 1343400]

    =============== Created Last 30 ================

    2011-02-01 20:03:33 54016 ----a-w- c:\windows\system32\drivers\firatp.sys
    2011-02-01 19:57:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-01 19:57:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-01 19:57:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-01 17:19:41 -------- d-----w- c:\users\eds\appdata\roaming\Avanquest
    2011-02-01 17:19:41 -------- d-----w- c:\progra~2\Avanquest
    2011-02-01 17:19:31 -------- d-----w- c:\program files\Avanquest
    2011-02-01 17:19:03 -------- d-----w- c:\program files\common files\Wise Installation Wizard
    2011-02-01 17:10:45 -------- d-s---w- C:\ComboFix
    2011-02-01 15:32:20 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-02-01 15:32:14 -------- d-----w- c:\users\eds\appdata\local\temp
    2011-02-01 15:27:31 98816 ----a-w- c:\windows\sed.exe
    2011-02-01 15:27:31 89088 ----a-w- c:\windows\MBR.exe
    2011-02-01 15:27:31 256512 ----a-w- c:\windows\PEV.exe
    2011-02-01 15:27:31 161792 ----a-w- c:\windows\SWREG.exe
    2011-01-31 21:38:29 -------- d-----w- c:\program files\Hardcopy
    2011-01-31 21:38:20 501760 ----a-w- c:\windows\SwSetupu.exe
    2011-01-31 13:45:45 -------- d-----w- c:\program files\Registry Easy
    2011-01-31 13:22:40 -------- d-----w- c:\program files\NirSoft
    2011-01-30 15:34:00 -------- d-----w- c:\users\eds\appdata\roaming\Malwarebytes
    2011-01-30 15:33:57 -------- d-----w- c:\progra~2\Malwarebytes
    2011-01-30 00:11:12 -------- d-----w- C:\Boot
    2011-01-26 23:56:35 -------- d-----w- c:\windows\Acronis
    2011-01-25 02:44:37 -------- d-----w- c:\program files\Iconoid
    2011-01-25 00:05:10 -------- d-----w- c:\program files\CCleaner
    2011-01-23 16:57:22 170080 ----a-w- c:\windows\system32\drivers\snapman.sys
    2011-01-23 16:46:09 725064 ----a-w- c:\windows\system32\pwNative.exe
    2011-01-23 16:46:08 16472 ------w- c:\windows\system32\pwdrvio.sys
    2011-01-23 16:46:03 11104 ------w- c:\windows\system32\pwdspio.sys
    2011-01-23 16:34:56 -------- d-----w- c:\program files\MSXML 4.0
    2011-01-23 16:29:19 -------- d-----w- c:\users\eds\appdata\local\NeoSmart_Technologies
    2011-01-23 16:27:35 -------- d-----w- c:\program files\NeoSmart Technologies
    2011-01-22 21:09:23 -------- d-----w- c:\progra~2\ODIR
    2011-01-22 21:08:19 209608 ----a-w- c:\windows\system32\Tabctl32.ocx
    2011-01-22 21:08:19 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
    2011-01-22 21:08:19 -------- d-----w- c:\program files\ODIR
    2011-01-22 20:56:21 -------- d-----w- c:\users\eds\appdata\roaming\Sunbelt
    2011-01-22 20:56:21 -------- d-----w- c:\progra~2\Sunbelt
    2011-01-22 20:49:18 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
    2011-01-22 20:49:14 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
    2011-01-22 20:48:42 68696 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
    2011-01-22 20:48:42 220760 ----a-w- c:\windows\system32\drivers\SbFw.sys
    2011-01-22 20:48:39 -------- d-----w- c:\program files\Sunbelt Software
    2011-01-22 20:40:42 -------- d-----w- c:\users\eds\appdata\roaming\MAPILab Ltd
    2011-01-22 20:40:40 -------- d-----w- c:\program files\MAPILab Ltd
    2011-01-22 20:30:18 -------- d-----w- c:\windows\Downloaded Installations
    2011-01-22 20:14:01 -------- d-----w- c:\users\eds\appdata\roaming\com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1
    2011-01-22 20:14:00 -------- d-----w- c:\program files\Pandora
    2011-01-22 20:06:29 -------- d-----w- c:\program files\common files\MAPILab Ltd
    2011-01-22 20:05:43 -------- d-----w- c:\users\eds\appdata\local\Downloaded Installations
    2011-01-21 23:04:19 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
    2011-01-21 23:04:14 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{83185f68-eb5c-4e4b-96fa-9eb276f809a9}\mpengine.dll
    2011-01-21 04:59:25 -------- d-----w- c:\windows\system32\appmgmt
    2011-01-21 04:50:56 -------- d-----w- c:\users\eds\appdata\local\Relief_Software
    2011-01-21 04:38:26 -------- d-----w- c:\users\eds\appdata\local\OutlookFreeware.com
    2011-01-21 03:16:24 30568 ----a-w- c:\windows\system32\mdimon.dll
    2011-01-21 03:16:24 30512 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
    2011-01-21 03:16:10 -------- d-----w- c:\users\eds\appdata\local\ElevatedDiagnostics
    2011-01-21 03:15:20 -------- d-----w- c:\windows\PCHEALTH
    2011-01-21 03:12:54 -------- d-----w- c:\users\eds\appdata\local\Microsoft Help
    2011-01-21 03:05:47 -------- d-----w- c:\program files\Elaborate Bytes
    2011-01-21 02:59:29 -------- d-----w- c:\users\eds\appdata\roaming\RealVNC
    2011-01-21 02:51:49 -------- d-----w- c:\program files\MagicISO
    2011-01-21 02:44:47 -------- d-----w- c:\users\eds\appdata\local\Mozilla
    2011-01-21 02:39:59 -------- d-----w- c:\users\eds\appdata\local\Adobe
    2011-01-21 02:34:28 90624 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HPZPPWN7.DLL
    2011-01-21 01:56:49 0 ----a-w- c:\windows\ativpsrm.bin
    2011-01-21 01:54:08 -------- d-----w- c:\windows\Panther
    2011-01-21 01:17:41 26112 ----a-w- c:\windows\system32\VNCpm.dll
    2011-01-21 01:17:32 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
    2011-01-21 01:17:32 20992 ----a-w- c:\windows\system32\vncmirror.dll
    2011-01-21 01:17:31 -------- d-----w- c:\program files\RealVNC
    2011-01-20 23:52:10 -------- d-----w- c:\program files\LSI SoftModem
    2011-01-20 23:51:10 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
    2011-01-20 23:44:13 -------- d-sh--w- c:\windows\Installer
    2011-01-20 23:36:19 -------- d-----w- c:\windows\system32\Wat
    2011-01-20 23:34:33 257024 ----a-w- c:\windows\system32\msv1_0.dll
    2011-01-20 23:33:45 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2011-01-20 23:33:45 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2011-01-20 23:33:45 297808 ----a-w- c:\windows\system32\mscoree.dll
    2011-01-20 23:33:45 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-01-20 23:33:45 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2011-01-20 23:24:14 987136 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2011-01-20 23:24:14 573440 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-20 23:24:14 372736 ----a-w- c:\program files\common files\system\ado\msadox.dll
    2011-01-20 23:24:14 352256 ----a-w- c:\program files\common files\system\ado\msadomd.dll
    2011-01-20 23:24:14 208896 ----a-w- c:\program files\common files\system\msadc\msadco.dll
    2011-01-20 23:24:08 292864 ----a-w- c:\windows\system32\apphelp.dll
    2011-01-20 23:24:06 740864 ----a-w- c:\windows\system32\inetcomm.dll
    2011-01-20 23:24:06 1619968 ----a-w- c:\program files\windows mail\msoe.dll
    2011-01-20 23:24:04 1233920 ----a-w- c:\windows\system32\msxml3.dll
    2011-01-20 23:24:02 37376 ----a-w- c:\windows\system32\rtutils.dll
    2011-01-20 23:24:01 224256 ----a-w- c:\windows\system32\schannel.dll
    2011-01-20 23:23:58 1286456 ----a-w- c:\windows\system32\ntdll.dll
    2011-01-20 23:23:54 954752 ----a-w- c:\windows\system32\mfc40.dll
    2011-01-20 23:23:54 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2011-01-20 23:23:52 34816 ----a-w- c:\windows\system32\msasn1.dll
    2011-01-20 23:23:47 530432 ----a-w- c:\windows\system32\comctl32.dll
    2011-01-20 23:23:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
    2011-01-20 23:23:38 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2011-01-20 23:22:13 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 23:20:47 2327552 ----a-w- c:\windows\system32\win32k.sys
    2011-01-20 23:15:14 190976 ----a-w- c:\windows\system32\drivers\ks.sys
    2011-01-20 23:12:00 -------- d-----w- c:\windows\system32\wbem\Performance
    2011-01-20 23:05:28 172032 ----a-w- c:\windows\system32\wintrust.dll
    2011-01-20 23:05:28 132608 ----a-w- c:\windows\system32\cabview.dll

    ==================== Find3M ====================

    2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
    2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
    2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb

    ============= FINISH: 15:10:46.53 ===============




    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume8
    Install Date: 1/20/2011 6:04:10 PM
    System Uptime: 2/1/2011 2:48:50 PM (1 hours ago)

    Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA790FXT-UD5P
    Processor: AMD Phenom(tm) II X4 955 Processor | Socket M2 | 3200/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 402 GiB total, 383.107 GiB free.
    D: is FIXED (NTFS) - 50 GiB total, 22.032 GiB free.
    E: is FIXED (NTFS) - 85 GiB total, 52.12 GiB free.
    F: is FIXED (NTFS) - 50 GiB total, 9.07 GiB free.
    G: is FIXED (NTFS) - 10 GiB total, 3.407 GiB free.
    H: is FIXED (NTFS) - 50 GiB total, 45.72 GiB free.
    I: is FIXED (NTFS) - 28 GiB total, 13.534 GiB free.
    J: is FIXED (NTFS) - 104 GiB total, 81.655 GiB free.
    K: is FIXED (NTFS) - 103 GiB total, 84.561 GiB free.
    L: is CDROM ()
    M: is FIXED (NTFS) - 50 GiB total, 36.866 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP28: 1/26/2011 7:54:30 PM - Scheduled Checkpoint
    RP1: 1/27/2011 7:12:28 PM - Windows Update
    RP2: 1/27/2011 9:03:43 PM - Windows Update
    RP3: 1/28/2011 3:00:25 AM - Windows Update
    RP4: 1/28/2011 3:14:31 AM - Windows Update
    RP5: 1/28/2011 7:17:01 AM - Windows Update
    RP6: 1/29/2011 9:09:57 AM - Device Driver Package Install: Elaborate Bytes AG Storage controllers
    RP29: 2/1/2011 10:27:43 AM - ComboFix created restore point
    RP30: 2/1/2011 12:19:22 PM - Installed PowerDesk 7

    ==== Installed Programs ======================

    2007 Microsoft Office Suite Service Pack 2 (SP2)
    Acronis Disk Director Home
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X
    CCleaner
    EasyBCD 2.0
    Hardcopy (C:\Program Files\Hardcopy)
    Iconoid version 3.8.6
    LSI USB 2.0 Soft Modem
    Magic ISO Maker v5.5 (build 0281)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    ODIR
    Pandora
    PowerDesk 7
    Registry Easy v5.6
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2483110)
    VIPRE Antivirus Premium
    VirtualCloneDrive
    VNC Enterprise Edition E4.6.0
    VNC Mirror Driver 1.8.0
    VNC Printer Driver 1.7.0
    WinRAR 4.00 beta 4 (32-bit)

    ==== Event Viewer Messages From Past Week ========

    2/1/2011 2:51:33 PM, Error: Service Control Manager [7034] - The AMD External Events Utility service terminated unexpectedly. It has done this 1 time(s).
    2/1/2011 2:49:28 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    2/1/2011 2:49:28 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
    2/1/2011 10:31:13 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

    ==== End Of File ===========================
     
  4. selkov

    selkov TS Rookie Topic Starter

    Comments please?
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My internet connection was down from Tuesday night to this morning. I'll be catching up, but I do have some threads before you.

    There are some entries in Combofix that I have to identify, but please do the following:

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.

    As far as I can tell, the following 2 entries work together to delete hardcopy- is that correct? What hardcopy?
    2011-01-31 21:38:29 -------- d-----w- c:\program files\Hardcopy
    2011-01-31 21:38:20 501760 ----a-w- c:\windows\SwSetupu.exe
    HardCopy being a screen capture utility. I was not able to ID SwSetupu.exe on any safe site.

    Regarding c:\program files\Registry Easy. Most of us do not recommend using a Registry Cleaner. IF you decide to keep this, backup the Registry before using and be careful with removals.
    ===========================-
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  6. selkov

    selkov TS Rookie Topic Starter

    No problems.
    I appreciate your support, was just concerned that you might have been real busy and missed me.

    AS for "SwSetupu.exe" I do not remember what utility installs it but i think it is Hard copy I do not think this is a new issue. I remember Identifying this in the past and it does installed with a trusted software package.


    CKScanner - Additional Security Risks - These are not necessarily bad

    scanner sequence 3.FF.11
    ----- EOF -----



    NOD32
    C:\Program Files\Registry Easy\Recoveryer.dll Win32/Adware.RegistryEasy application
    C:\Program Files\Registry Easy\RegEasyCleaner.exe a variant of Win32/Adware.RegistryEasy application
    C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix.exe multiple threats
    C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\Process.exe Win32/PrcView application
    C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\restart.exe Win32/Shutdown.NAA application
    E:\ANGRY IP.exe Win32/NetTool.Portscan.C application
    E:\SmitfraudFix.exe multiple threats
    E:\ TORRENTS\D O N E\Xilisoft.iPod.Rip.v2.1.41.0104.Incl.Keygen-Lz0.rar a variant of Win32/Mehpet.A trojan
    E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Advanced.Windows.Password.Recovery.3.5.1.incl.serial.rar Win32/PassRecovery application
    E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.Password.Auditor.v1.61.incl.crack.rar probably a variant of Win32/Agent.LRKDMTB trojan
    E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.System.Password.Recovery.v4.1.rar Win32/PassRecovery application
    E:\ TORRENTS\D O N E\Elcomsoft Password Recovery Suit [Portable]\Elcomsoft Password Recovery Suit [Portable].rar Win32/PassRecovery application
    E:\ TORRENTS\D O N E\Elcomsoft Password Recovery Suit [Portable]\Advanced Windows Password Recovery\AWPR.exe Win32/PassRecovery application
    E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial.rar a variant of Win32/Olmarik.AHY trojan
    E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial\Setup\ sdsetup.exe a variant of Win32/Olmarik.AHY trojan
    E:\HALO\CheatEngine53.exe multiple threats


    Awaiting Further Directions.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It is difficult for me to understand why, after I pointed piracy out to you, that you went right back and did it again!!!

    TORRENTS mean file sharing and serial means piracy!

    E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial\Setup\ sdsetup.exe a variant of Win32/Olmarik.AHY trojan

    Spyware Doctor 2011 offers a Free Trial, then $29.95 to buy

    When you download a serial/crack/keygen to unlock a program instead of paying for it, you are stealing the program. That is called piracy.

    What part of that do you not understand?

    Support is withdrawn and this thread is closed.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thread is being reactivated at member's request. Hopefully source of repeated piracy will be controlled. Go ahead and run the following> I'm gathering some information on what was downloaded, to give you a better idea of what you are dealing with.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Program Files\Registry Easy\Recoveryer.dll 
      C:\Program Files\Registry Easy\RegEasyCleaner.exe 
      C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix.
      C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\Process.exe 
      C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\restart.exe 
      E:\ANGRY IP.exe 
      E:\SmitfraudFix.exe 
      E:\ TORRENTS\D O N E\Xilisoft.iPod.Rip.v2.1.41.0104.Incl.Keygen-Lz0.rar 
      E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Advanced.Windows.Password.Recovery.3.5.1.incl.serial.rar 
      E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.Password.Auditor.v1.61.incl.crack.rar 
      E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.System.Password.Recovery.v4.1.rar Win32/PassRecovery application
      E:\ TORRENTS\D O N E\Elcomsoft Password Recovery Suit [Portable]\Advanced Windows Password Recovery\AWPR.exe 
      E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial.rar a 
      E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial\Setup\ sdsetup.exe 
      E:\HALO\CheatEngine53.exe 
      
      :Commands
      [purity]
      emptytempp]
      [start explorer]
      [Reboot]
    • Return toOTMoveItt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red [bMoveitt![/b] button.
    • A log of files and folders moved will be created in the c:_OTMoveIttMovedFiless folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close [bOTMoveItt3[/b]
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  9. selkov

    selkov TS Rookie Topic Starter

    Error: Unable to interpret <C:\Program Files\Registry Easy\Recoveryer.dll > in the current context!
    Error: Unable to interpret <C:\Program Files\Registry Easy\RegEasyCleaner.exe > in the current context!
    Error: Unable to interpret <C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix.> in the current context!
    Error: Unable to interpret <C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\Process.exe > in the current context!
    Error: Unable to interpret <C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\restart.exe > in the current context!
    Error: Unable to interpret <E:\ANGRY IP.exe > in the current context!
    Error: Unable to interpret <E:\SmitfraudFix.exe > in the current context!
    Error: Unable to interpret <E:\ TORRENTS\D O N E\Xilisoft.iPod.Rip.v2.1.41.0104.Incl.Keygen-Lz0.rar > in the current context!
    Error: Unable to interpret <E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Advanced.Windows.Password.Recovery.3.5.1.incl.serial.rar > in the current context!
    Error: Unable to interpret <E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.Password.Auditor.v1.61.incl.crack.rar > in the current context!
    Error: Unable to interpret <E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.System.Password.Recovery.v4.1.rar Win32/PassRecovery application> in the current context!
    Error: Unable to interpret <E:\ TORRENTS\D O N E\Elcomsoft Password Recovery Suit [Portable]\Advanced Windows Password Recovery\AWPR.exe > in the current context!
    Error: Unable to interpret <E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial.rar a > in the current context!
    Error: Unable to interpret <E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial\Setup\ sdsetup.exe > in the current context!
    Error: Unable to interpret <E:\HALO\CheatEngine53.exe > in the current context!

    OTM by OldTimer - Version 3.1.17.2 log created on 02052011_143844
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Wait until tomorrow- I'll move them with script through Combofix.

    Did you find out what the E Drive is? Could it have been a flash drive that was connected at the time of the scan?

    And I have Notepad going to gather the causes of the mischief with the pirated programs. One of the processes downloaded is a port scanner:
    A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.

    Put the port scanner together with the password recovery app and I see the potential for doing things and going places that should not be available!
     
  11. selkov

    selkov TS Rookie Topic Starter

    I think I solved the Issue.

    Oddly enough I do not believe i actually had a hijack.
    Even though it acted like the Browser re-direct virus.

    I simply changed the primary and Secondary DNS #'s that were in the router [provided by my ISP ?] and the problem went away. I am now on the OPEN DNS #'s and have no issues at all.

    I did not confirm that the programed #'s were the actual ones that my ISP provided but I am unaware of any virus that could change them at my router. So I assume it is their DNS where the issue is.


    As for the torrents.
    I have deleted them and uninstalled any programs that were related to them.
    I have also deleted any folders that remained after rebooting.

    What other steps should I take to clean them off my pc?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There really isn't much difference. For instance, how would you define a browser hijack vs a redirect?

    It "sounds like" you had a DSN Changer malware infection. This requires a DSN Flush followed by router reset/

    You never did reply to my question asking what the E Drive was. But whoever was using it was making attempts to get passwords as well as looking for open ports.

    I don't think anything has been done to actually remove the malware, since OTM failed, but if you think the problem has been resolved and want to clean up:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
      Creating a Restore Point in Windows 7:
      • Click on Start> right click on Computer> Properties
      • Select System Protection
      • Click on the Create button (near bottom)
      • Type a name for the Restore Point
      • Click on Create again to save the restore point.

      Deleting all but the most recent System Protection point in Windows 7
      1. Click Start> Computer> right click the C Drive and choose Properties> enter.
      2. Click Disk Cleanup from there.
        [​IMG]
      3. Click Clean up system files
        This restarts Disk Cleanup to run in elevated mode.
      4. Click the More Options tab
        [​IMG]
      5. Click the Clean up under System Restore and Shadow Copies.
      6. Click OK.
      7. You will get a confirmation screen> Just click Delete.
      8. Click OK on the Disk Cleanup Screen.
      9. Click Delete Files on the Confirmation screen.
      [​IMG]
      It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
      Images courtesy lytebyte.

      Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...