also @ TechSpot: Microsoft Surface RT drops to $199... for schools and colleges

Need help; my searches are getting redirected

Discussion in 'Virus and Malware Removal' started by seebo, Jan 2, 2011.

Page 3 of 4

  1. seebo Newcomer, in training Posts: 38

    Broni,

    Had a bit more difficulty getting COMBOFIX to run. Had to try several times before it ran all the way through.

    Computer is acting a bit screwier. Specifically, I'm regularly (every 10-15 minutes) getting messages that Internet Explorer had to shut down, even though I have not been running IE.

    Anyway, here is the log:

    ComboFix 11-01-06.06 - s.metrau 01/07/2011 9:46.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2911 [GMT -5:00]
    Running from: c:\documents and settings\s.metrau\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
    .

    2011-01-03 22:35 . 2011-01-03 22:35 574 ----a-w- C:\cleanup.bat
    2011-01-03 20:21 . 2011-01-03 20:21 -------- d-----w- C:\_OTL
    2011-01-03 15:29 . 2011-01-03 15:29 -------- d-----w- c:\documents and settings\s.metrau\Local Settings\Application Data\Temp
    2011-01-02 19:47 . 2011-01-02 19:47 -------- d-----w- c:\program files\Common Files\Java
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-26 13:32 . 2010-12-26 13:32 -------- d-----w- c:\program files\iPod
    2010-12-26 13:32 . 2010-12-26 13:34 -------- d-----w- c:\program files\iTunes
    2010-12-15 20:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 16:43 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-07 14:35 . 2009-08-10 18:33 0 ----a-w- c:\documents and settings\s.metrau\Local Settings\Application Data\WavXMapDrive.bat
    2010-12-20 23:09 . 2009-08-10 17:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2009-08-10 17:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12 . 2008-04-25 21:27 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 21:34 . 2009-06-09 00:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:34 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-06 00:34 . 2008-04-25 16:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-11-03 12:25 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-25 16:16 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:27 . 2008-04-25 16:16 1862272 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-01-03_03.28.17 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-07 14:34 . 2011-01-07 14:34 16384 c:\windows\Temp\Perflib_Perfdata_56c.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 80480 c:\windows\system32\perfc009.dat
    + 2008-04-25 16:16 . 2011-01-07 14:39 80480 c:\windows\system32\perfc009.dat
    + 2010-02-20 22:04 . 2011-01-04 16:51 55304 c:\windows\system32\mlfcache.dat
    + 2011-01-03 20:29 . 2011-01-07 14:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2011-01-02 17:52 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-18 19:51 . 2011-01-07 14:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2009-06-18 19:51 . 2011-01-07 14:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-04-25 16:16 . 2011-01-07 14:39 467430 c:\windows\system32\perfh009.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 467430 c:\windows\system32\perfh009.dat
    + 2007-07-11 17:27 . 2010-11-06 00:34 380928 c:\windows\system32\ieapfltr.dll
    - 2007-07-11 17:27 . 2010-09-09 13:38 380928 c:\windows\system32\ieapfltr.dll
    - 2009-08-10 17:35 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
    + 2009-08-10 17:35 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-12-19 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-01-16 95544]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-19 667648]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 15360]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-06-09 2220032]
    "DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-03-01 1810432]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-8-10 869376]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-8-10 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Datatel\\UI\\wIntegSM.exe"=
    "c:\\Program Files\\Datatel\\UI\\datatel.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168]
    R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [3/1/2009 6:09 PM 77824]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/8/2009 10:05 PM 112512]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/8/2009 10:05 PM 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/8/2009 10:05 PM 244368]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/8/2009 10:05 PM 109568]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/8/2009 7:26 PM 232744]
    S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]
    S3 Normandy;Normandy SR2; [x]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://campus.usip.edu/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: usip.edu\campus
    FF - ProfilePath - c:\documents and settings\s.metrau\Application Data\Mozilla\Firefox\Profiles\fmzr22gc.default\
    FF - prefs.js: browser.search.selectedEngine - Answers.com
    FF - prefs.js: browser.startup.homepage - usp.edu
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-07 10:14
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2868)
    c:\windows\system32\WININET.dll
    c:\windows\system32\igfxdo.dll
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\windows\system32\btmmhook.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2011-01-07 10:29:28
    ComboFix-quarantined-files.txt 2011-01-07 15:29
    ComboFix2.txt 2011-01-05 12:43
    ComboFix3.txt 2011-01-03 03:44

    Pre-Run: 117,042,147,328 bytes free
    Post-Run: 117,409,689,600 bytes free

    - - End Of File - - 9CC3E4B61BDF550CB8779CBAF8829C74
    seebo, Jan 7, 2011
    #41

  2. Broni Malware Annihilator Posts: 40,051   +187

    Please download SystemScan and save it to your desktop.

    • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
    • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
    • Double-click on sys*****.exe to start the tool.
    • A read before proceeding disclaimer will appear.
    • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
    • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
    • When SystemScan opens, click the "Unselect all" button.
    • Important: Under "Make your choice and than click...", check the boxes next to:
      • PC accounts
    • Everything else should be unchecked.
    • Click "Scan Now".
    • Another warning box will appear. Please follow the instructions and click OK.
    • Please be patient while the scan is in progress.
    • Systemscan will scan your computer and create a folder named Suspectfile on the Desktop to save its report.
    • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
    • Copy and paste the contents of report.txt in your next reply.
    Broni, Jan 7, 2011
    #42

  3. seebo Newcomer, in training Posts: 38

    Here you go, Broni. Scan was very quick. ~S

    SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

    Running on: Windows XP PROFESSIONAL Edition, Service Pack 3 (2600.5.1)
    System directory: C:\WINDOWS
    SystemScan file: C:\Documents and Settings\s.metrau\Desktop\sys79599.exe
    Running in: User mode
    Date: 1/8/2011
    Time: 9:44:41 AM

    Output limited to:
    -PC accounts

    ===================== ACCOUNTS ON THIS PC =====================


    Users on this computer:
    Is Admin? | Username
    ------------------
    Yes | Administrator
    | Guest (Disabled)
    | HelpAssistant (Disabled)
    | SUPPORT_388945a0 (Disabled)
    | USP

    ### users folders

    25/04/2008 16:32:31 (DIR) 0 byte 988 days old -- LocalService
    18/06/2009 14:52:31 (DIR) 0 byte 569 days old -- Default User
    18/06/2009 14:52:43 (DIR) 0 byte 569 days old -- USP
    08/06/2009 19:31:58 (DIR) 0 byte 579 days old -- Administrator
    10/11/2010 16:26:59 (DIR) 0 byte 59 days old -- All Users
    05/01/2011 00:33:29 (DIR) 0 byte 3 days old -- s.metrau
    07/01/2011 15:58:00 (DIR) 0 byte 1 days old -- NetworkService

    ### startup files in users folders

    C:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\s.metrau\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\USP\Start Menu\Programs\Startup\desktop.ini

    ==========================================
    Scan completed in 0.1 minutes
    End of report


    ~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
    SystemScan uses some freeware tools that remain property of their authors:

    * SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
    * dumphive (Markus Stephany)--> "Registry scan"
    * Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
    * Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
    ---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

    Thanks to all of them for their hard work
    seebo, Jan 8, 2011
    #43

  4. Broni Malware Annihilator Posts: 40,051   +187

    Download and save HelpAsst_mebroot_fix.exe to your desktop.
    • Close all open programs.
    • Double click HelpAsst_mebroot_fix.exe to run it.
    • Pay attention to the running tool.
    • If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
    • After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

      • helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.

    IMPORTANT!
    If the tool does NOT detect any mbr infection and completes, proceed with the following...

    • Click Start>Run and copy and paste the following command, then hit Enter:

      • mbr -f
    • Repeat the above step one more time
    • Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.
    • Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

      • helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.

    **Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
    Broni, Jan 8, 2011
    #44

  5. seebo Newcomer, in training Posts: 38

    C:\Documents and Settings\s.metrau\Desktop\HelpAsst_mebroot_fix.exe
    Sun 01/09/2011 at 13:16:15.64

    HelpAssistant account Inactive

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found

    ~~ Checking firewall ports ~~


    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

    ~~ Checking profile list ~~

    No HelpAssistant profile in registry

    ~~ Checking mbr ~~

    user & kernel MBR OK

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Sun 01/09/2011 at 13:39:06.57

    Account active No
    Local Group Memberships

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A3841EB]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\iaStor -> 0x8a3841eb
    Warning: possible MBR rootkit infection !
    user & kernel MBR OK
    Use "Recovery Console" command "fixmbr" to clear infection !

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    seebo, Jan 9, 2011
    #45

  6. seebo Newcomer, in training Posts: 38

    oh, and both browsers are still redirecting searches.
    seebo, Jan 9, 2011
    #46
     

  7. Broni Malware Annihilator Posts: 40,051   +187

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, check for redirections.

    **Important note to Dell users - fixing the MBR may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.
    Broni, Jan 9, 2011
    #47

  8. seebo Newcomer, in training Posts: 38

    Hi Broni,

    As per instructions, I'm letting you know this is a Dell computer (Latitude E6400).

    Seebo
    seebo, Jan 10, 2011
    #48

  9. Broni Malware Annihilator Posts: 40,051   +187

    Broni, Jan 10, 2011
    #49

  10. seebo Newcomer, in training Posts: 38

    None of this seems to be working as planned.

    The directions aren't clear if I should keep the Dell MDR utility as a backup or to use this instead of the NTBR.

    So I reboot the computer trying the NTBR and get an error message "Can't open CD driver CDRCACH shsucdx can't install. ERROR: Failure loading; unable to find CD-ROM drive!

    I try rebooting with the Dell MDR and, as per instructions, says to type in "cd \MD2" after booting with the CD. However the computer won't read an \MD2 directory, even though its there when I read the contents of the CD (using another computer).

    I tried burning both cds twice, and I can't get anything to work here.

    Any insights as to what may be happening, as we don't seem to be making much progress.

    Thanks,

    Seebo
    seebo, Jan 11, 2011
    #50

  11. Broni Malware Annihilator Posts: 40,051   +187

    This:
    "So I reboot the computer trying the NTBR and get an error message "Can't open CD driver CDRCACH shsucdx can't install. ERROR: Failure loading; unable to find CD-ROM drive! "
    we can bypass using another method, but that will most likely break your ability to access Dell's recovery partition.

    I'm curious, if you can access it now. Can you check?
    If not, we can go ahead with fixing MBR in different way.
    Broni, Jan 11, 2011
    #51

  12. seebo Newcomer, in training Posts: 38

    I tried booting with the NTBR cd again and the same thing happened.
    seebo, Jan 11, 2011
    #52

  13. Broni Malware Annihilator Posts: 40,051   +187

    No, no, I'm asking, if you can get to Dell's recovery partition by pressing CTRL + F11 at Dell's logo.
    If not, we can go ahead and fix your MBR in different way.
    Do you have Dell's recovery CD?
    Broni, Jan 12, 2011
    #53

  14. seebo Newcomer, in training Posts: 38

    I tried control+F11 as you said (without any cd inserted) and the computer didn't acknowledge it (i.e., went on to boot up normally). ~S
    seebo, Jan 12, 2011
    #54

  15. Broni Malware Annihilator Posts: 40,051   +187

    OK, since you can't access it, we can feel free to fix your MBR anyway.

    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    (If it asks you if you are sure then say "Y".)

    exit

    Reboot computer.

    Re-run HelpAsst_mebroot_fix.exe and post its log.
    Broni, Jan 12, 2011
    #55

  16. seebo Newcomer, in training Posts: 38

    I typed in *fixmbr* and received a caution notice stating that the fixmbr command has detected "an invalid or non-standard master boot record" and warns that FIXMBR may damage my partition tables if I proceed.

    So before I go further I want to make sure its okay to proceed.
    seebo, Jan 13, 2011
    #56

  17. Broni Malware Annihilator Posts: 40,051   +187

    Yes, go ahead.
    Broni, Jan 13, 2011
    #57

  18. seebo Newcomer, in training Posts: 38

    Hi Broni,

    Been out of town the last few days. Followed directions and reformatted the MBR.

    Tried it twice. Didn't make any difference that I could tell.

    Seebo
    seebo, Jan 16, 2011
    #58

  19. Broni Malware Annihilator Posts: 40,051   +187

    Let's see a new log....

    Download and save HelpAsst_mebroot_fix.exe to your desktop.
    • Close all open programs.
    • Double click HelpAsst_mebroot_fix.exe to run it.
    • Pay attention to the running tool.
    • If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
    • After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

      • helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.

    IMPORTANT!
    If the tool does NOT detect any mbr infection and completes, proceed with the following...

    • Click Start>Run and copy and paste the following command, then hit Enter:

      • mbr -f
    • Repeat the above step one more time
    • Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.
    • Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

      • helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.
    Broni, Jan 16, 2011
    #59

  20. seebo Newcomer, in training Posts: 38

    here's the log, Broni...

    C:\Documents and Settings\s.metrau\Desktop\HelpAsst_mebroot_fix.exe
    Tue 01/18/2011 at 8:56:04.15

    HelpAssistant account Inactive

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found

    ~~ Checking firewall ports ~~


    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

    ~~ Checking profile list ~~

    No HelpAssistant profile in registry

    ~~ Checking mbr ~~

    user & kernel MBR OK

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Tue 01/18/2011 at 9:16:29.10

    Account active No
    Local Group Memberships

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AD691EB]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\iaStor -> 0x8ad691eb
    Warning: possible MBR rootkit infection !
    user & kernel MBR OK
    Use "Recovery Console" command "fixmbr" to clear infection !

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

    ~~ Checking profile list ~~

    No HelpAssistant profile in registry

    ~~ Checking for HelpAssistant directories ~~

    none found

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    ~~ EOF ~~
    seebo, Jan 18, 2011
    #60
Page 3 of 4
Topic Status:
Not open for further replies.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...

Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.