TechSpot

Redirect Virus! 7 steps completed and logs posted here

By SeanC75
May 10, 2010
  1. Ok just edited this and posted the attached files below. Thank you very much.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Where are the logs Sean? Follow HERE please as you were directed to do a week ago. Then leave all of the logs.
     
  3. SeanC75

    SeanC75 TS Rookie Topic Starter

    I am posting now..The thread wouldn't let me do it last night. There was a text limit and it said I had to also wait for approval for the thread to be posted.

    I am going to try to attach files. I am new to that so here we go.

    If there is anything I am missing please let me know. I really do appreciate the help. This redirect thing is killing my time. I have so much I need to be doing and i can't research things fast enough now. I also have some kind of Gen/trojan virus. Thank you very much.

    Sean C.
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I have some script ready for you:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ======================
    Once Combofix has been installed, run this:

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\docume~1\owner\locals~1\temp\o1394bul.sys 
    Folder::
    
    DDS::
    mSearchAssistant = 
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    BHO: Trellian BHO Impl: {24180b00-2eb6-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: Trellian &Toolbar: {71aaabe5-1f0f-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
    TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    
    Registry::
    Driver::
    o1394bul
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    =============================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please include the original Combofix report, the report after you run the script and the Eset online scan log in the next reply.
     
  5. SeanC75

    SeanC75 TS Rookie Topic Starter

    Ok here is the combo fix log and the ESET log.

    I did not have ESET actually remove anything as you seemed to indicate that, by wanting me to unclick the remove button. I hope this was correct.
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You did it correctly Sean. You do have problems and malware is only part of them:

    1. You have 2 antivirus programs: Avast and Trend Micro Security Suite This makes the system more vulnerable. Please remove one of them.
    2. You're basically out of hard drive space:
    C: is FIXED (NTFS) - 70 GiB total, 4.741 GiB free. >>6.7%
    D: is FIXED (FAT32) - 4 GiB total, 0.633 GiB free.>> 1.5%
    You should have as close to 80% free as possible.
    3. You have a file from 2002 with a Trojan Backdoor in it.
    4. You have 4 outdated versions of Java:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    This also makes the system more vulnerable.
    5. You have 2 files from 2006 for FTP- are you still using this?
    6. There is a file named 'Achoma2.dll' from 2007 which is malware.
    7. You recently got a file 'iun6002.exe' which is a Spyware.DsktopSurveil. It monitors user Internet activity and private information.It sends stolen data to a hacker site.
    8. You're running Hitman Pro which is a bundle of programd you casn get free on the internet. Most don't have the permission of the authors.

    There's more, Sean. But with the critical hard drive problem, I'm going to recommend two things:
    First, wipe the drive and reinstall the operating system.
    Second, get an external hard drive to keep the games and related programs on.

    I can remove some of the files and folders, but it's not going to help you much. You can do the following which will remove what Eset found:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\5473416c-3d84e560
      C:\Program Files\BackWeb\BackWeb Client\6.2.3.66\Program\runner.exe
      C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  7. SeanC75

    SeanC75 TS Rookie Topic Starter

    Hello,

    First of all..for some reason I have not been able to remove trend micro..I have tried several times..It will not let me take it off. Do you know how I could do this??

    Secondly I do not have the orginal operating system discs..I got this comp so long ago. It seems to me it used to just reinstall it itself when I wiped..but man I cannot remember.

    Sucks I also have so much to do lately..I don't think I could mess with all of the time it would take to wipe and restore everything I have on here..

    I am wondering if you can help me get rid of as much of this stuff as possible?? Especially anything that sends my private information some hacker..

    I appreciate your help much more than I can say..Thank you so much for all of the help.


    Attached is the log from Old timer.
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Be sure to disable all of your security before running this:

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\windows\WSYS049.SYS
    c:\windows\system32\wodFtpDLX.dll
    c:\windows\system32\XceedFtp.dll
    c:\windows\iun6002.exe
    c:\program files\BitTorrent\bittorrent.exe
    c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe
    c:\windows\system32\drivers\tmpreflt.sys
    c:\windows\system32\Drivers\mchInjDrv.sys
    Folder::
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\program files\Hitman Pro 3.5
    c:\program files\Trellian
    c:\program files\Trend Micro
    c:\documents and settings\Owner\Application Data\BitTorrent
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    
    Driver::
    Tmntsrv
    tmproxy
    Tmpreflt
    mchInjDrv
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
     
  9. SeanC75

    SeanC75 TS Rookie Topic Starter

    Ok here it is.
     

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sean, a lot of files were moved. But I still see BitTorrent and a lot of poker games from 2006. Cake poker, Absolute poker, Poker Start, UltimateBet (2007), Vegas Poker and many non-poker related games. You can't expect to run all this 'stuff'.

    I removed Trend Micro and all Bit Torrent entries except the program itself (I missed it) But although I moved a lot, without overwriting it's still on the hard drive. You have TuneIp Utilities- doesn't that have an overwriting utility?

    Has the redirect stopped?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...