Solved Re-directing malware - can't perform windows or any anti-virus updates

[dnrhoole]

I'm new & have some sort of malware that has stopped my ability to go to any anti-virus update sites. It has stopped Windows update and has made all restore points unavailable. I can't start in safe mode either.

Spybot, mwbam, avira, & sas haven't found anything.

My Java is up-to-date.

I've tried tdsskiller with no benefit.

I thought it was downadup and tried f-secure's fix for that, but it didn't do anything.

I've tried smitfraudfix, but didn't fix the problem.

After pulling my hair out, I give up, realizing I'm over my head.

Any help would be appreciated.

Here's the hjt log.

Almost bald,
David

 

[dnrhoole]

Here's the hjt log after process list.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [4shared Update] "C:\Program Files\4shared Desktop\checkUpdate.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.mytinyplanets.com/?gclid=CMegpr24z58CFQkcawodZlArlw"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Download all 4shared files - C:\Program Files\4shared Desktop\down_all.htm
O8 - Extra context menu item: &Download using 4shared Desktop - C:\Program Files\4shared Desktop\down_link.htm
O8 - Extra context menu item: &Search - ?p=ZJxdm035MHUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://clc-bend.org/Remote/msrdp.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} (Image Uploader Control) - http://community.weightwatchers.com/Scripts/ImageUploader6.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22F08088-74A5-4854-82C8-B238DD6374CF}: NameServer = 93.188.162.20,93.188.166.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{7433496E-11DA-4671-9B78-CE10100651E1}: NameServer = 93.188.162.20,93.188.166.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{B11EF868-F2E4-4A85-8FF9-62B4F1EE047F}: NameServer = 93.188.162.20,93.188.166.38
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.20,93.188.166.38
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.20,93.188.166.38
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate1c9ebdb3d99bb5a) (gupdate1c9ebdb3d99bb5a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)

 

[Bobbye]

David, your searches are being redirected through a site in the Ukraine.
O17 - HKLM\System\CCS\Services\Tcpip\..\{22F08088-74A5-4854-82C8-B238DD6374CF}: NameServer = 93.188.162.20,93.188.166.38

You need to know however, that you should include entire logs- not the part you think we need. This will include the the heading at the top, all of the processes and the section like the above. There is information we need in those sections also.

I would like you to do the following first:
DNS Changer
You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

When you have finished, click on the link HERE for directions to run the preliminary steps. Please rescan with HJT when you have finished ad include that new log also.

Please leave all of the logs. Let me determine what they do and don't find' and what is done with them. I will then review the logs and see where to go from that point.

 

[dnrhoole]

Thanks for the info. I would have left all the log, but it wouldn't fit within the 10,000 character limit. I'll leave it in 2 pieces if I need to next time.

 

[Bobbye]

Whenever someone has a HijackThis log that is too long to leave intact, it is an indication that the person has too many processes set to start on boot, then run in the background! But I will deal with that when I see it and make some suggestions when the cleaning is complete.

You may want to attach the log instead of pasting it in. You would also be attaching the logs from Malwarebytes and Superantispyware.

 

[dnrhoole]

3 logs...

I finished all the 8 steps, and I'm attaching the logs from mwbam, sas and hjt. Thanks for any help.
David

 

[Bobbye]

Please reopen HijackThis to 'do system scan only.'Check each of the following entries, if present:
Note: Optional entries have been coded in green. Read Options before checking:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [4shared Update] "C:\Program Files\4shared Desktop\checkUpdate.exe"
O8 - Extra context menu item: &Download all 4shared files - C:\Program Files\4shared Desktop\down_all.htm
O8 - Extra context menu item: &Download using 4shared Desktop - C:\Program Files\4shared Desktop\down_link.htm>>See Option 1
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')>> See Option 2
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')>> See Option 2.
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/webgames/popcaploader_v10.cab>> See Option 3

O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.mytinyplanets.com/?gclid=CMegpr24z58CFQkcawodZlArlw"
O8 - Extra context menu item: &Search - ?p=ZJxdm035MHUS
O17 - HKLM\System\CCS\Services\Tcpip\..\{22F08088-74A5-4854-82C8-B238DD6374CF}: NameServer = 93.188.162.20,93.188.166.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{7433496E-11DA-4671-9B78-CE10100651E1}: NameServer = 93.188.162.20,93.188.166.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{B11EF868-F2E4-4A85-8FF9-62B4F1EE047F}: NameServer = 93.188.162.20,93.188.166.38
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.20,93.188.166.38
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.20,93.188.166.38

Read Optional information first. Then close all Windows except HijackThis and click on "Fix Checked."

Option 1: File Sharing:Reasons I recommend uninstalling 4shared Desktop

• [1]Modifies browser homepage to:
  http://search.conduit.com?SearchSource=10&ctid=CT2233703
  [2]Buttons, toolbars, or other modifications are made to the browser.
  [3] A total of 7 network servers were contacted in the conduit.com and cotcdn.net domains.
  [4] This program runs every time the system is started:
  "C:\Program Files\4shared Desktop\checkUpdate.exe"

Option 2: Unnecessary startup:
Power2GExpress for Cyberlink

Option 3: Popcap/Poploader
You will get adware from this site. I recommend that you remove it from the Active X Objects. Instructions TF

When you have finished, disable the auto update setting in Shockwave

• 
  [1] Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
  Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
  [2] Right click the Shockwave movie.
  [3] From the drop down menu choose "Properties".
  [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.
  http://kb.adobe.com/selfservice/view...6683&sliceId=1

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Rescan with HIJT when through. Include Comfbofix report and new HJT log in next reply.

Remind me to tell you to update the Adobe Reader when through. You have v7, current is v9.xx.

 

[dnrhoole]

Next?

I think I followed all the directions correctly.
I went ahead and uninstalled 4shared desktop. I don't need the desktop feature to access the function. Attached are the logs you asked for.

I noticed in the process that Microsoft windows updater kicked in gear and installed a couple of updates that have been waiting but unable to load for the last couple weeks. I'm guessing that's a good sign.

I'll go ahead and update my Adobe Reader software now.

Thanks for the help so far.
David

 

[dnrhoole]

wait on adobe

I'll wait to update adobe until we're finished, since that sounds like what you were saying after reading it again.

 

[Bobbye]

I would encourage you to remove the unnecessary processes from Startup. Starting on boot means they will run in the background. This is using resources that could be better applied to the other system uses. some examples of these are:
C:\Program Files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe>> CD Burning
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe>> for Nikon Camera
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

Are you using both mouse AND touchpad?

• Logitech mouse: High CPU user for
  C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
  C:\Program Files\Logitech\SetPoint\SetPoint.exe
  O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
• Touchpad for laptop:
  C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
  C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

Active X Objects:
You have 29 Active X processes running (016) Many are add-ons. These should be kept at a minimum because of the potential for malicious code. I suggest you review all of these entries and disable as many as you can: the reasons:

• ActiveX is a set of controls created by Microsoft that allows a user to interact with and run compatible applications over the Internet. This is also a great avenue of attack for hackers,
• ActiveX runs little bits of code that can install small compatible programs to your system, which allows for interactive content,
• ActiveX has great potential to be hacked and let uninvited malicious code into you system. Whether it's the loss of data or the transformation of your PC into a zombie on a botnet.

Check as follows: Open IE> Tools> Manage add-ons> examine both the section with add-ons currently running and add-ons previously run> delete any duplicates> Disable any you don't use or need> Apply> OK.

All of the above processes are legitimate. Bu thaving too many can make the system more vulnerable.

You should have been noticing some improvement on the system by now. Are you? If not, let me know.

 

[dnrhoole]

A Few questions

Thanks so much. I have updated all my anti-virus, anti-malware software. All sites seemed to work just fine. I'm not experiencing any re-direct problems.

Q #1 - I'm assuming I can go ahead and run everything now - mbam etc. Is that a correct assumption?

Q #2 - If I disable certain active x pieces that I may need later, will I simply be prompted again to re-install or enable that active x component?

Q #3 - How do I remove the unnecessary processes from Startup and if I remove them, do those software pieces simply turn on when opened manually?

Q #4 - Is there a name to what my computer had and is there a patch or solution to keep me from getting it again?

Q #5 - Feel free to not respond to this Q - Is this service voluntary on your part? Either way, I'm extremely grateful for all your help and expertise.

Thanks,
David

 

[Bobbye]

Questions are good things- especially when they are phrased as well as yours:

1. Please see scan instructions after questions.
2. Yes, you will have to enable any Active X process needed for a particular process to run is you use it again. But running them all, all the time is a safety issue, so it's best to keep only those which are used frequently, then enable others as needed. For instance: you might want to leave the Java plug-in enabled, but disable the Java Quick Start. You might want to leave the MS Genuine Advantage enabled but disable Shockwave and/or flash until you need them. They will still be on the list.
This is one you definitely should disable:
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/webgames/popcaploader_v10.cab
This is referred to as legal adware from PopCap Games company. It is a Web plug-in provides Web update features. And a great amount of adware!

3. The easiest way to remove processes from startup is to use the msconfig utility as follows:
Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> Uncheck the processes you don't want to start on boot> when finished click on Apply> OK.

This does not remove those programs or processes- it only prevents it from starting on boot. You can recheck any if you decide later that you need them, but a better way would be to click on All Programs> open the program from here.
(Note: msconfig changes are best done in Safe Mode, When you finish and boot back to Normal Mode the first time after making changes, you get a nag message that you can ignore and close after checking 'don't show this message again.) Stay in Selective Startup to retain the changes.

4, The malware you had is called a DNS Changer and shown by several entries like this:
O17 - HKLM\System\CCS\Services\Tcpip\..\{22F08088-74A5-4854-82C8-B238DD6374CF}: NameServer = 93.188.162.20,93.188.166.38

Identification of the IP 93.188.162.20 shows it to be a site in the Ukraine. This is one of several IPs in the Ukraine group. This Trojan malware is designed to change the 'NameServer' Registry key value to a custom IP address. This will redirect victims to fake websites that steal credit card information, logins and passwords for on-line banks and payment systems like PayPal. The malware also hacks into the router.

Flushing the DNS (Domain Name Server) plus resetting the router will usually resolve the problem.You can find a discussion about securing the system against the DNS Changer on this site: http://www.wilderssecurity.com/showthread.php?t=227263

5. Glad to answer this one David. Forums that offer free computer help are usually 'staffed' by volunteers. Some of these forums accept donations to offset the site expenses. This one does not. Many of us find ourselves with a storehouse of information and the time to use it, so we volunteer to help others. It is also a learning experience-- rarely does a day go by when I don't learn something new.
--------------------------------------------------------------------------------------

• 
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\Owner.Familyfun\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2479a464-n\msvcr71.dll
c:\documents and settings\Owner.Familyfun\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2479a464-n\msvcp71.dll
c:\documents and settings\Owner.Familyfun\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e0570ed-n\decora-sse.dll
c:\documents and settings\Owner.Familyfun\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2479a464-n\jmc.dll
c:\documents and settings\Owner.Familyfun\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e0570ed-n\decora-d3d.dll
c:\documents and settings\All Users\Application Data\TEMP

Folder::
c:\documents and settings\All Users\Application Data\Grisoft
c:\documents and settings\All Users\Application Data\TEMP

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
_______________
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I will give you some tips when we finish that will help you to increase the system security.

 

[dnrhoole]

Eset and Combofix logs

Here are the next couple things you asked for. I believe that I followed all the directions regarding active x stuff and start-up processes. There may still be more I can delete. Any suggestions are appreciated.

Thanks again,
David

 

[Bobbye]

David, the system is looking so much better! Are you noticing the improvement and have the redirects stopped?

Eset finds one entry in the system restore points. You will be dropping the old restore points and it will be gone. If the original problem has been resolved you can go ahead and remove the cleaning tools and old restore points:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Please let me know if you need additional help.

A tip about the Java cache: Go to the Control Panel> Java> General tab> Temporary internet files> Settings> Uncheck 'keep temporary internet files on mu computer'> Click on Delete> Apply> OK

Now you don't have to worry about these adding up.

 

[dnrhoole]

The End

Well - I think you've done it. It appears that all things are normal - no more re-direct issues, everything updates. Thanks so much.

I do have one very minor irritation - it appears that logging in to things such as facebook has taken several login attempts. I don't think it's just "having thumbs for fingers." I'm pretty sure everything is being typed correctly, etc. Is this something I should just keep an eye on and call "coincidence" for now?

Regardless - thanks again for helping me and my computer.

David

 

[Bobbye]

You're welcome David. The Facebook problem could also be a lack of sufficient servers or a particularly high use at the time you have the logon problem. If it gets worse or you begin having other system problems related to malware, let us know. Here are some tips to help you stay clean:

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. .

I'll close this thread since your problem has been resolved