also @ TechSpot: Exploit allows command prompt to launch at Windows 7 login screen

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Solved] Search Engine redirect problem, malicious popups

Discussion in 'Virus and Malware Removal' started by Karenspook, Dec 21, 2010.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. Karenspook Newcomer, in training

    Here's the OTL log

    All processes killed
    ========== OTL ==========
    Service LiveUpdate stopped successfully!
    Service LiveUpdate deleted successfully!
    C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE moved successfully.
    Service EagleNT stopped successfully!
    Service EagleNT deleted successfully!
    File C:\Windows\System32\drivers\EagleNT.sys not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{1017A80C-6F09-4548-A84D-EDD6AC9525F0} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1017A80C-6F09-4548-A84D-EDD6AC9525F0} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart deleted successfully.
    Prefs.js: "AVG Secure Search" removed from browser.search.defaultenginename
    Prefs.js: "http://search.avg.com/route/?d=4d1276fc&v=6.010.023.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=" removed from keyword.URL
    Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f963a5b-e555-4543-90e2-c3908898db71}\ not found.
    File C:\Program Files\AVG\AVG10\Firefox not found.
    Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@igeared deleted successfully.
    File C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared not found.
    C:\ProgramData\xml4851.tmp deleted successfully.
    C:\ProgramData\xml4D04.tmp deleted successfully.
    C:\ProgramData\xml4EAA.tmp deleted successfully.
    C:\ProgramData\0jf5835bS5a moved successfully.
    C:\Users\Karen\AppData\Local\etWNRxj5tsW moved successfully.
    C:\ProgramData\etWNRxj5tsW moved successfully.
    C:\ProgramData\50888C50E5.sys moved successfully.
    C:\Users\Karen\AppData\Roaming\Uniblue\RegistryBooster\_temp folder moved successfully.
    C:\Users\Karen\AppData\Roaming\Uniblue\RegistryBooster\history folder moved successfully.
    C:\Users\Karen\AppData\Roaming\Uniblue\RegistryBooster\backup folder moved successfully.
    C:\Users\Karen\AppData\Roaming\Uniblue\RegistryBooster folder moved successfully.
    C:\Users\Karen\AppData\Roaming\Uniblue folder moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Program Files\Symantec\Symantec Endpoint Protection\Help folder moved successfully.
    C:\Program Files\Symantec\Symantec Endpoint Protection folder moved successfully.
    C:\Program Files\Symantec\LiveUpdate folder moved successfully.
    C:\Program Files\Symantec folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Karen
    ->Temp folder emptied: 35379 bytes
    ->Temporary Internet Files folder emptied: 140495 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 95136535 bytes
    ->Google Chrome cache emptied: 856432 bytes
    ->Flash cache emptied: 2012 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1906 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 92.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default

    User: Default User

    User: Karen
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.18.0 log created on 12222010_223613

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
    Karenspook, Dec 22, 2010
    #21

  2. Karenspook Newcomer, in training

    Here is the Security Check log

    Results of screen317's Security Check version 0.99.7
    Windows 7 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:
    Windows Firewall Enabled!
    Norton Internet Security
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Ad-Aware
    MVPS Hosts File
    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 23
    Out of date Java installed!
    Adobe Flash Player 10.1.102.64
    Adobe Reader 9.4.1
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.13)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    Ad-Aware AAWService.exe
    Ad-Aware AAWTray.exe
    ``````````End of Log````````````
    Karenspook, Dec 22, 2010
    #22

  3. Broni Malware Annihilator

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
    On this page:

    [IMG]

    make sure, you have both boxes UN-checked AND (important!) click on Decline button
    Broni, Dec 23, 2010
    #23

  4. Karenspook Newcomer, in training

    here's the eset scan result.

    C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip Win32/Bagle.gen.zip worm
    C:\Users\Karen\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application
    Karenspook, Dec 23, 2010
    #24

  5. Broni Malware Annihilator

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL

:Services

:Reg

:Files
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip 
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip 
C:\Users\Karen\Downloads\registrybooster.exe

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Your computer is clean [IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
    Broni, Dec 23, 2010
    #25

  6. Karenspook Newcomer, in training

    Here's the new OTL log

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip moved successfully.
    File\Folder C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip not found.
    C:\Users\Karen\Downloads\registrybooster.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Karen
    ->Temp folder emptied: 3011281 bytes
    ->Temporary Internet Files folder emptied: 238827 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 33159191 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 32699 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 35.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default

    User: Default User

    User: Karen
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.18.0 log created on 12232010_115234

    Files\Folders moved on Reboot...
    C:\Users\Karen\AppData\Local\Temp\divF1DC.tmp\divF2C7.tmp moved successfully.
    File\Folder C:\Users\Karen\AppData\Local\Temp\JET7A8B.tmp not found!
    File\Folder C:\Windows\temp\CabFB17.tmp not found!
    File\Folder C:\Windows\temp\TarFB18.tmp not found!

    Registry entries deleted on Reboot...
    Karenspook, Dec 23, 2010
    #26

  7. Karenspook Newcomer, in training

    Here's the latest OTL log

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Karen
    ->Temp folder emptied: 548168 bytes
    ->Temporary Internet Files folder emptied: 234964 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 32040237 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1495 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 678 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 31.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default

    User: Default User

    User: Karen
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb



    OTL by OldTimer - Version 3.2.18.0 log created on 12232010_123509

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
    Karenspook, Dec 23, 2010
    #27

  8. Broni Malware Annihilator

    Whenever ready...
    Broni, Dec 23, 2010
    #28

  9. Karenspook Newcomer, in training

    Alright, I cleaned up with the OTL, deleted the excess programs and logs, and installed WOT and the Secunia program.

    So far I see no problems. This might just be a firefox problem, but sometimes when I click to open it the browser won't open. But when I go to the processes in the task manager it shows that it is running. Then I just have to end the process and open up firefox again to get it running. Other than that there is nothing wrong with the computer. The internet seems to be running faster and there are no popups or redirects. The fixing of windows update was completely unexpected and it now runs perfectly.
    Thank you so much for all of your help! I'll be sure to take all of your advice to prevent this from ever happening again. Very Happy Holidays to you!
    Karenspook, Dec 23, 2010
    #29

  10. Broni Malware Annihilator

    Way to go!! [IMG]
    Good luck and stay safe :)

    Merry Christmas!

    Your Firefox issue may be caused by some add-on(s).
    Close Firefox. Go Start>All Programs>Mozilla Firefox, click on Mozilla Firefox (safe mode). Same issue?
    Broni, Dec 23, 2010
    #30

  11. Karenspook Newcomer, in training

    Nope, that seemed to do the trick.
    Thanks again. :wave:
    Karenspook, Dec 23, 2010
    #31

  12. Broni Malware Annihilator

    You're very welcome [IMG]
    Broni, Dec 23, 2010
    #32
Page 2 of 2
Thread Status:
Not open for further replies.