Solved Trying the 8 step program

[ChelseaFC]

and I get to step 5 and GMER begins to run and I step away from PC, and it freezes it. I cant do nothing unless I reboot my PC by unplugging it.

Is it possible the screen saver is messing it up?

 

[ChelseaFC]

Sorry, I will try to uncheck devices and retry in safe mode.

 

[ChelseaFC]

Files are attached...

What I have is the redirect issue along with not being able to update windows from the website.

 

[Bobbye]

Welcome to TechSpot, Chelsea. I'll help with the malware. While I finish reviewing your logs, please do the following:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
===========================
Please download SystemLook from one of the links below and save it to your Desktop:

• Download Mirror #1
• Download Mirror #2

• Double-click SystemLook.exe to run it.
• A blank Windows will open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy the content of the following codebox into the main textfield :
  

        :filefind
        kbdhid.*

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Please leave both logs in your next reply.

EDIT: Chelsea, is AVG v9 your current antivirus program? It looks like you installed/uninstalled then reinstalled again on 5/19/2010 6:58:54 AM - Installed AVG 9.0. But there are McAfee processes also running. Please remove one of these. Multiple AV program can leave the system more vulnerable as well as slow it down. Here are tools to help with the uninstall of either one- only download for the AV you are NOT going to keep:

McAfee Removal
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully

 

[ChelseaFC]

You are correct.AVG is my current anti-virus. The reason why I uninstall AVG is because there is no way for me to deactivate it to complete the steps.
I again uninstalled AVG to perform the second steps of Combofix. I then reinstalled it before the systemlook step.

I basically uninstalled it at every step that mentions to deactivate AV software.

Now I see your updated post and will remove McAfee.

I attached the files that you requested, by unfortunately my internet connection does not work. AVG can not initialize the firewall.

So.... I am posting this from work.

Sorry for being so unorthodox.

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\edwqoeoj.sys

DDS::
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab

Extra::
File:: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
Firefox::
Firefox-: Profile-c:\docume~1\main\applic~1\mozilla\firefox\profiles\ri1alb3k.default\

RenV::
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Dell\Media Experience\dmxlauncher .exe
c:\program files\Hewlett-Packard\HP Software Update\hpwuschd2 .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\windows\ehome\ehtray .exe
c:\windows\system32\DLA\dlactrlw .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb09 .exe

Folder::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"
"MpfService"
"mcupdmgr"
"McTskshd"
"McShield"
"McDetect"


Driver::
edwqoeoj

FCopy::
C:\WINDOWS\ServicePackFiles\i386\kbdhid.sys | C:\WINDOWS\system32\DRIVERS\kbdhid.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Then run Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave Combofix report and Eset log in next reply.

 

[ChelseaFC]

Here they are.
How do you all know how to do all of this?

 

[Bobbye]

How do you all know how to do all of this?

I've had very kind and patient helpers along the way. I also read a lot! And I learn every day that there is more I don't know than I do know!

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\edwqoeoj.sys

DDS::
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab

Extra::
File:: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
Firefox::
Firefox-: Profile-c:\docume~1\main\applic~1\mozilla\firefox\profiles\ri1alb3k.default\

Folder::
c:\documents and settings\Main\Local Settings\Application Data\eerobqjtf
c:\program files\WildTangent

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=-
"MpfService"=-
"mcupdmgr.exe"=-
"McTskshd.exe"=-
"McShield"=-
"McDetect.exe"=-

Driver::
edwqoeoj

RenV::
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Chelsea, I removed some remaining McAfee Services for you. But it looks like the McAfee firewall may have done some configuring. I'm not real comfortable with those settings so I suggest this:
If you're using the Free AVG, there is no firewall. So go to the Security Center in the Control Panel> Choose Windows Firewall> Advanced tab> ICMP> Settings> check only on "Allow inbound echo request'> OK> OK> Reboot. Hopefully that will reset the firewall settings.

Let me know how the system is running after the script and firewall reset.

 

[ChelseaFC]

Well I did correct the firewall issues and I am online.

But the one thing that I try doing to see if the system is working is to go to the Microsoft website and try to do the windows update through the website and it gives me an error through Microsoft. I am not sure if it is related to this malware/virus thing because ever since I noticed a problem, it would not let me do it through the site. Only through the automatic windows setting, The error number: 0x80072EFF . I am not looking for a solution for it, just maybe this is related.

Also I was no able to post on the infected computer. It would not let me upload the file and post with the log information in the post. So I am using a secondary computer to post this.

See attached.

 

[ChelseaFC]

yes it still is blocking certain sites, no redirects but reset connections.

 

[ChelseaFC]

AVG caught this this morning as well:

"Infection";"Virus identified Win32/Patched.DP";"C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP59\A0013694.sys";"";"5/22/2010, 7:12:23 AM"

 

[Bobbye]

System Volume is the restore points. If malware is only there, it is not active in the system. I will have you drop the old restore points when the system is clean. In the meantime, don't use the restore feature.

yes it still is blocking certain sites, no redirects but reset connections.

Blocking and redirects are not the same. I am working with someone now who is concerned because his security blocks some sites. I got enough information from him to check out the sites and found his security was working as it should- protecting the system from bad sites!

And the reset can be due to either a server or the ISP. So if dirty sites are being blocked as they should be, you don't have a malware problem! So if this is what is happening to you, be thankful, not worried!

Re: Windows Update fails with Error number: 0x80072EFF

Open a Command Prompt: Start> Run> cmd> type in the following, pressing Enter after each command

net stop wuauserv
regsvr32 muweb.dll
regsvr32 wuweb.dll
net start wuauserv
exit

REMEMBER, you don't need to register both .dll files, just the one that the system is using to access the update page, be it MU or WU.

Restart the system and see if it can update.

Source: Windows Tek Archive

 

[ChelseaFC]

i ran your last set of instructions and now the internet does not work. PC is trying to acquire network address.

The sites that were being blocked where, posting to this site with an attachment and other normal legit sites.

I turned off the system restore feature.

 

[Bobbye]

Why did you turn off System Restore? An example of why you should not disable SR while we're working is this: although re-registering the file should not have disabled the connection, if it did, you could restore to right before you did it. But you don't have that option now.

'Waiting to acquire the address' can also be a server problem from the ISP, or it could mean that the router needs to be re-booted.

Best to follow my instructions and not do anything to the system unless I instruct you to. You added the Windows update problem so I gave you a suggestion. Technically the updates could have waited until I was sure the system was clean.

What I had you do was re-register some files. IT should not have disabled the connection. Did you reboot when finished?

You still have a Vundo entry that needs to be removed.

Try this for the connection:
DNS Changer
You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

Recommend you restart the System Restore.

 

[ChelseaFC]

I am sorry.

The reason I turned off system restore is because you said "In the meantime, don't use the restore feature." I misunderstood that.

I turned it off after I re registered the files and did nothing until now and clicked it back on.

Then restarted the PC and internet is back on.

Again I apologize.

I will rerun MBAM now, unconnected to the router, and attach the log.

 

[ChelseaFC]

So I ran MBAM and it found nothing.

I went online to post this message and and pop came up saying I was a winner for today and click ok. I did not do that. I ran task manager and shut down the PC.

 

[Bobbye]

Did you do the DSN flush and router reset?

 

[ChelseaFC]

Yes and here is the latest log.

 

[Bobbye]

It's clean. Are you still having the problem?

Do you use a pop-up stopper? Which one? You can have pop-ups without having a malware infection> did you know that?

 

[ChelseaFC]

Bobbye,

Thank you for your help.

I haven't had any more pages open to a site lately. But please let me try a few more days.

Two days ago you mentioned I had one more Vundo that needs to be removed. Did we remove it already?

Also, my initial MBAM log was clean as well. Is there any other test for me to run to confirm I am clean? Maybe something is being covered up?

Also, I still can not connect to Microsoft update website, so I will call my ISP.

 

[ChelseaFC]

Definitely having Google redirect issues still. Searched "endgadget", a reputable site and it always redirected me somewhere else and a fake Adobe window popped up. Force quit everything and did not click on anything.

Still have something possessed in my machine.

 

[Bobbye]

My bad- I forgot to remove this:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::

Folder::

Registry::
RenV::
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
See if this makes a difference. Please leave report in next reply.

 

[ChelseaFC]

Attached is the recent log file.

I will play with the internet later on to see if I get anything funny.

In the meantime, if you see anything on the log file, let me know how to proceed?

 

[Bobbye]

Chelsea, there are still 2 entries that bother me. So I'd like you to do the following:

First, explain to me exactly what is happening with the 'redirect.'
Does it happen on all of the searches?
Does it only happen when you choose a site from the Google search list?
Does it happen if you load a Bookmark or Favorite?
Does it happen in all browsers if you have more than IE?
Does it happen if you type the URL in the Address Bar?

For instance, I go to http://www.engadget.com/ and use search term netbooks: And get this page:
http://www.engadget.com/search/?q=netbooks&invocationType=wl-gadget

I select the topic ARM blames Flash, netbooks and tablets for smartbook delay, oh my and this page displays
http://www.engadget.com/2010/05/06/arm-blames-flash-netbooks-and-tablets-for-smartbook-delay-oh-m/

If you did the same thing, where is the search breaking down?
==========================================
I want you to uninstall Combofix which will also remove the reports:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

=====================================
Now, please install a new Combofix:
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=================================
Follow with Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

========================================
Then download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Leave the logs from the new Combofix scan, Eset scan and HijackThis.

 

[ChelseaFC]

Bobbye,

Before I ran the step from a day ago " KillAll::...." combofix script, I would browse the web for some time, like 5 min and everything would seem fine.

Then I would Google search a familiar site and the page would load and a new tab would open with a commercial site. Never happened before. Close the browser and redid it and still a new tab opens with a different commercial site. PLUS, I still feel whatever it was prevented me to go to the Microsoft site and update through the site.

I ran the "KillAll::.." combofix script and still haven't seen any new tabs when searching and what I am very happy about is the the Microsoft update site NOW WORKS!!

I will give you more insight on the browsing experience run the last step later on today and run your last set of instructions.

AGAIN, Thank you!