Inactive Help! Redirecting virus

[anubis202]

Hello, recently I found that almost all of my google searches are being redirected to advertisement sites. The website it redirects to is "adwords.onlinesecuregroup..." It seems to affect both google and yahoo searches but I haven't tried any others.

I have tried many of the free antivirus tools but none have cured it. I completed the 8 preliminary steps and my results are posted.

I had some trouble with the gmer program- the first time I ran it, I got the "blue screen of death" so I tried it again with "devices" un-checked and it crashed again. I ran it in safe mode but only one item came up during the scan, compared to many that came up on the failed scans.

After I finished the 8 steps, I tried to log on to this forum to post and the webpage would state that I had sucessfully logged on, but I still wouldn't be able to post. I logged onto my guest account and it worked here. I also tested google to see if the redirect is affecting this username too but it doesnt seem like it is.

I would greatly appreciate any help with this!

 

[Bobbye]

Okay, we need to dig deeper. I will ask you to uninstall Hitman Pro. IT is just a bundle of programs that you can get free on the internet. Most are being used without the permission of the authors Go ahead and uninstall; and I'll remove remaining entries.

You also have processes running for multiple antivirus programs: Symantec Live Update, Avira and AVG Keep one, remove the others.

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=========================================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave these logs in your next reply.

 

[anubis202]

Thanks for the reply Bobbye. I was unable to find hitman pro, symantec, or avg under the add/remove programs list, so I did a search on my computer and deleted the files for these programs.

Here are my logs.

 

[Bobbye]

I'll remove any left over entries for the programs that show up in Combofix. While I'm setting that up, go ahead and handle this entry from Eset:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Documents and Settings\Chris\My Documents\FruityLoops Studio 8.0 XXL Edition\flstudio_8.0_install.exe
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[Bobbye]

You've got a nasty Rootkit in the MBR. Sometimes it's tough to remove, but this usually does the job:

Please print the instructions below for this program. You will not have access to the directions once you have started

Please download HelpAsst mebroot fix.exe by noahdefrea and save to your desktop

• Close out all other open programs and windows.
• Double-click on it to run the tool and follow any prompts.
• If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
• Upon restarting, please wait about 5 minutes, go to > Run..., and in the Open dialog box, type: helpasst -mbrt
  Make sure you leave a space between helpasst -mbrt.
• Click OK or press Enter.
• HelpAsst fix will create and open a log when done.
• Copy and paste the contents of that log into your next reply.

In the event the tool does not detect an mbr infection and completes, do this:

• Go to > Run> in the Open dialog box type: mbr -f
• Click OK or press Enter.
• Now, please do the Start > Run > mbr -f command a second time.
• Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
• After restart go to > Run> in the Open dialog box, type: helpasst -mbrt
  Make sure you leave a space between helpasst and -mbrt.
• Click OK or press Enter.
• HelpAsst fix will create and open a log when done.
• Copy and paste the contents of that log into your next reply.

-- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
Source: BleepingComputer.
========================================
You have a large number of ports open in the firewall, including one for Remote Desktop. Did you do this intentionally?

 

[anubis202]

Here's the contents of my OTM log:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Chris\My Documents\FruityLoops Studio 8.0 XXL Edition\flstudio_8.0_install.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Anita Collier

User: Chris
->Temp folder emptied: 36650 bytes
->Temporary Internet Files folder emptied: 17285467 bytes
->Java cache emptied: 3879 bytes
->Flash cache emptied: 768 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Guest
->Temp folder emptied: 3186 bytes
->Temporary Internet Files folder emptied: 6651771 bytes
->Flash cache emptied: 716 bytes

User: HelpAssistant
->Temp folder emptied: 1276244 bytes
->Temporary Internet Files folder emptied: 14674678 bytes
->Java cache emptied: 3879 bytes
->Flash cache emptied: 801 bytes

User: HelpAssistant.ANITACOLLIER
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 305356 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 38.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06182010_013033

Files moved on Reboot...
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\N0EES2SX\ads[1].txt moved successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\N0EES2SX\sh19[1].html moved successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\N0EES2SX\topic148612[4].html moved successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\80L9XHU3\01[2].htm moved successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\2OWV9OT0\ads[1].htm moved successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\2MFSPHBB\ads[2].htm moved successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\2MFSPHBB\ads[3].htm moved successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.
File move failed. C:\WINDOWS\temp\$$$dq3e scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\$67we.$ scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_d8.dat not found!

Registry entries deleted on Reboot...



The HelpAsst mebroot fix.exe link seems to be broken- i get the "404 Not Found" page when i click it.
Would you recommend backing my files before the mbr fix?

Also, the ports were probably opened by my brother for certain video games, but I was wondering how I would go about closing them?

Thanks!

 

[Bobbye]

I'm sorry- I had an extra word in that link.

Try this link: http://noahdfear.net/downloads/HelpAsst/HelpAsst_mebroot_fix.exe

As for the ports: are you using a firewall now? If so, which one?

 

[anubis202]

These are the contents of my Help Asst log:


C:\Documents and Settings\Chris\Desktop\HelpAsst_mebroot_fix.exe
Tue 06/22/2010 at 23:10:14.04

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7804:TCP"=-
"7805:TCP"=-
"3389:TCP"=-
"1974:TCP"=-
"2448:TCP"=-
"8912:TCP"=-
"8911:TCP"=-
"8507:TCP"=-
"8506:TCP"=-
"7943:TCP"=-
"7944:TCP"=-
"5349:TCP"=-
"9198:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7804:TCP"=-
"7805:TCP"=-
"3389:TCP"=-
"1974:TCP"=-
"2448:TCP"=-
"8912:TCP"=-
"8911:TCP"=-
"8507:TCP"=-
"8506:TCP"=-
"7943:TCP"=-
"7944:TCP"=-
"5349:TCP"=-
"9198:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2973937239-1337085887-2461794318-1008
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 06/22/2010 at 23:41:00.75

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xFF5BC78A]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant.ANITACOLLIER

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9198:TCP"=9198:TCP:*:Enabled:Services
"5349:TCP"=5349:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9198:TCP"=9198:TCP:*:Enabled:Services
"5349:TCP"=5349:TCP:*:Enabled:Services


~~ EOF ~~

I have the basic windows firewall on along with avira- if it's even considered a firewall.

 

[Bobbye]

Sorry for delay- I'm trying to catch up. Looks like you licked Help Assistant!

Will you please run a new Combofix scan? Then I can get all the script entries together.

Follow with
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Have the redirects improved?

 

[anubis202]

My combofix log is attached and here are the contents of the HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:10:04 PM, on 6/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Solid State Networks IE Browser Plugin - {BD08A9D5-0E5C-4f42-99A3-C0CB5E860557} - C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\solidax.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1221543037687
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.playwhat.com/solidPlugin/solidstateion.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

--
End of file - 10039 bytes


The redirects have definately improved, I haven't been able to get either yahoo or google search to redirect again. However, when I open an internet page it still takes quite some time to load. I'm not sure what this is from, maybe it's just my internet connection.

Thanks for the help!

 

[Bobbye]

Please run this script first:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\Viewpoint\Common\ViewpointService.exe

Folder::
c:\documents and settings\HelpAssistant\PrivacIE
c:\documents and settings\HelpAssistant\IETldCache
c:\documents and settings\HelpAssistant\IECompatCache
C:\HelpAsst_backup
c:\documents and settings\All Users\Application Data\Hitman Pro
c:\documents and settings\HelpAssistant.ANITACOLLIER
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"= -

Driver::
Viewpoint Manager Service

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Reboot the computer, then run the following:
Download Dr.Web CureIt! and save it to your desktop.

• 
  [1] Double click to Run the utility and press the "Start" button in the opened window.
  [2] Confirm the launch by pressing the "OK" button and wait for the scanning results of the main memory and startup files. (this is express scan)
  [3] Click on the Green Arrow to the right to Select the Complete scan
  [4] When being scanned, infected files are cured, incurable files are moved to the quarantine directory.Answer Yes if asked to move or cure a file.
  [5] When the scanning is finished, save the report to your desktop: it is named DrWeb.csv.

Close the program.
Reboot the computer: this is important to complete the moves or deletions.
Copy the DrWeb.cvs report to Notepad, then paste it in your next reply.

Both logs in next reply please.

 

[anubis202]

Bobbye,
Sorry I've been busy the past couple of weeks, but I ran combofix and found that the log is over 900KB. I tried to paste it in a reply and this is the message I got.

The text that you have entered is too long (923201 characters). Please shorten it to 20000 characters long.
This would take far too long to post, so is there another way I can send it to you?

I ran DrWeb and got this in the log:
Av-test.txt;C:\Documents and Settings\HelpAssistant\Local Settings\Temp;EICAR Test File (NOT a Virus!);Incurable.Moved.;

After the DrWeb scan I noticed that the redirecting is happening again and I've noticed a few other problems. When i closed internet explorer, I could hear music playing through my speakers which is odd because I didn't have any audio programs running. I opened up task manager and found that there were 5+ iexplorer.exe processes running. I ended them all and ran a scan with avira but it found no virus. Also, when logging into facebook, internet explorer comes up with a pop up saying its entering a secure connection then another claiming it is leaving the secure connection. I'm not worried about my privacy on this website so I could care less if my password is retrieved by the virus, but this hasn't happened before.
Sorry for the novel of a post. Hope you can help me further.

 

[Bobbye]

Please run a new Combofix scan. If necessary, split the logs over 2-3 posts. Be sure to check this in Notepad: Click on Format> uncheck Word Wrap.

As for Dr. Web, I need to see the log. Log directions:
[5] When the scanning is finished, save the report to your desktop: it is named DrWeb.csv.[/list]
Close the program.
Reboot the computer: this is important to complete the moves or deletions.
Copy the DrWeb.cvs report to Notepad, then paste it in your next reply.

 

[anubis202]

ComboFix 10-07-23.02 - Chris 07/23/2010 18:22:56.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.362 [GMT -7:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 01:04 . 2010-07-24 01:04 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple
2010-07-24 01:04 . 2010-07-24 01:04 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Last.fm
2010-07-15 23:45 . 2010-07-16 06:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-15 20:44 . 2010-07-17 02:16 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2010-07-14 20:56 . 2010-07-14 20:56 -------- d-----w- c:\documents and settings\Chris\DoctorWeb
2010-07-14 09:33 . 2010-07-14 09:33 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-07-14 09:17 . 2010-07-14 09:17 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-07-14 09:17 . 2010-07-14 09:17 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-07-14 01:33 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-26 21:08 . 2010-06-26 21:08 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 01:04 . 2010-06-16 21:23 -------- d-----w- c:\documents and settings\Guest\Application Data\Apple Computer
2010-07-17 19:58 . 2009-01-17 00:54 -------- d-----w- c:\documents and settings\Chris\Application Data\StumbleUpon
2010-06-26 21:08 . 2010-06-26 21:08 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-17 22:42 . 2010-06-17 22:42 -------- d-----w- c:\documents and settings\Guest\Application Data\Avira
2010-06-17 00:41 . 2010-06-17 00:41 -------- d-----w- c:\documents and settings\Chris\Application Data\Avira
2010-06-17 00:40 . 2010-06-17 00:40 -------- d-----w- c:\program files\ESET
2010-06-16 21:24 . 2010-06-16 21:20 75808 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-16 05:30 . 2008-09-19 21:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-16 05:24 . 2004-08-23 15:26 -------- d-----w- c:\program files\Jasc Software Inc
2010-06-16 05:23 . 2004-08-23 15:15 -------- d-----w- c:\program files\Java
2010-06-16 05:23 . 2004-08-23 15:15 -------- d-----w- c:\program files\Common Files\Java
2010-06-14 14:31 . 2002-08-29 10:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-12 02:13 . 2008-10-08 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-11 23:13 . 2010-06-11 23:13 503808 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5846f26b-n\msvcp71.dll
2010-06-11 23:13 . 2010-06-11 23:13 61440 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-25edda93-n\decora-sse.dll
2010-06-11 23:13 . 2010-06-11 23:13 499712 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5846f26b-n\jmc.dll
2010-06-11 23:13 . 2010-06-11 23:13 348160 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5846f26b-n\msvcr71.dll
2010-06-11 23:13 . 2010-06-11 23:13 12800 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-25edda93-n\decora-d3d.dll
2010-06-11 22:42 . 2010-06-11 22:42 -------- d-----w- c:\program files\Avira
2010-06-11 22:42 . 2010-06-11 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-06-11 22:17 . 2009-02-23 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-11 18:28 . 2010-01-18 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-06-11 17:29 . 2010-06-11 17:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-11 07:46 . 2010-06-10 20:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-11 02:40 . 2010-06-10 20:06 63488 ----a-w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-11 02:40 . 2010-06-10 20:06 117760 ----a-w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-11 02:27 . 2010-06-11 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-11 02:27 . 2009-08-15 22:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-10 20:06 . 2010-06-10 20:06 52224 ----a-w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-10 20:06 . 2010-06-10 20:06 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2010-05-06 10:41 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-03 23:03 . 2010-05-03 23:03 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-02 05:22 . 2003-07-15 21:01 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2008-12-12 05:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2008-12-12 05:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-06-16_23.41.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 01:21 . 2010-07-24 01:21 16384 c:\windows\Temp\Perflib_Perfdata_2c0.dat
+ 2010-07-24 01:21 . 2010-07-24 01:21 16384 c:\windows\Temp\Perflib_Perfdata_120.dat
+ 2004-08-23 15:27 . 2010-07-14 15:03 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2004-08-23 15:27 . 2010-07-14 15:03 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2004-08-23 15:27 . 2010-07-14 15:03 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2004-08-23 15:27 . 2010-07-14 15:03 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2004-08-23 15:27 . 2010-07-14 15:03 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2004-08-23 15:27 . 2010-07-14 15:03 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-07-14 03:15 . 2010-07-14 03:15 231888 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10h_ActiveX.exe
+ 2010-07-14 03:15 . 2010-07-14 03:15 311760 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10h_ActiveX.dll
+ 2004-08-23 15:27 . 2010-07-14 15:03 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2004-08-23 15:27 . 2010-07-14 15:03 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2004-08-23 15:27 . 2010-07-14 15:03 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2004-08-23 15:27 . 2010-07-14 15:03 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2004-08-23 15:27 . 2010-07-14 15:03 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2004-08-23 15:27 . 2010-06-12 02:16 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-06-26 21:08 . 2010-06-26 21:08 1094656 c:\windows\Installer\a54f8.msi
+ 2010-05-25 18:45 . 2010-05-25 18:45 8445440 c:\windows\Installer\221ddd8.msp
+ 2010-07-01 05:52 . 2010-07-01 05:52 5522944 c:\windows\Installer\221ddc4.msp
+ 2010-06-20 08:01 . 2010-06-20 08:01 8040960 c:\windows\Installer\1f57e08.msp
+ 2008-09-16 05:19 . 2010-07-02 19:39 34045896 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-26 335872]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-16 03:03 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

 

[anubis202]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2004-04-15 08:32 270336 -c--a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 20:39 1289000 ----a-w- c:\progra~1\MI3AA1~1\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-11-06 02:31 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WANMiniportService"=2 (0x2)
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"LexBceS"=2 (0x2)
"GoToAssist"=3 (0x3)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"Game.exe"= Game.exe:GostSoul
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Chris\\Desktop\\slsk.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"53785:TCP"= 53785:TCP:*isabled:SolidNetworkManager
"53785:UDP"= 53785:UDP:*isabled:SolidNetworkManager
"6112:TCP"= 6112:TCP:wc1
"6112:UDP"= 6112:UDP:wc1a
"6113:TCP"= 6113:TCP:wc2
"6113:UDP"= 6113:UDP:wc2a
"6114:TCP"= 6114:TCP:wc3
"6114:UDP"= 6114:UDP:wc3a
"6115:TCP"= 6115:TCP:wc4
"6115:UDP"= 6115:UDP:wc4a
"6116:TCP"= 6116:TCP:wc5
"6116:UDP"= 6116:UDP:wc5a
"6117:TCP"= 6117:TCP:wc6
"6117:UDP"= 6117:UDP:wc6a
"56602:TCP"= 56602:TCPando Media Booster
"56602:UDP"= 56602:UDPando Media Booster
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9198:TCP"= 9198:TCP:Services
"5349:TCP"= 5349:TCP:Services
"9193:TCP"= 9193:TCP:Services
"9194:TCP"= 9194:TCP:Services
"5396:TCP"= 5396:TCP:Services
"9292:TCP"= 9292:TCP:Services
"1802:TCP"= 1802:TCP:Services
"2104:TCP"= 2104:TCP:Services

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/11/2010 3:42 PM 135336]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [3/25/2010 1:21 PM 120232]
.
Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-09-17 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-07-24 c:\windows\Tasks\User_Feed_Synchronization-{61956E20-5A92-4FC3-8987-302D218FF8D5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
Trusted Zone: unr.edu\webct
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 18:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x????????????????????????:??????????????X???(???x???????X???x???x????????????????????????????????????????D?w????|???????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0xFEE4978A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf877bf28
\Driver\ACPI -> ACPI.sys @ 0xf86eecb8
\Driver\atapi -> atapi.sys @ 0xf86a6852
\Driver\iaStor -> ntoskrnl.exe @ 0x805c3d35
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xfeeafb60
PacketIndicateHandler -> NDIS.sys @ 0xf8524a21
SendHandler -> NDIS.sys @ 0xf850287b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-07-23 18:37:39
ComboFix-quarantined-files.txt 2010-07-24 01:37
ComboFix2.txt 2010-07-14 09:31
ComboFix3.txt 2010-06-25 20:31
ComboFix4.txt 2010-06-16 23:44
ComboFix5.txt 2010-07-24 01:15

Pre-Run: 61,473,792,000 bytes free
Post-Run: 61,584,732,160 bytes free

- - End Of File - - A1EEDAFD83E35D8FCB626326C7AC265C

 

[anubis202]

And here are the contents of the Dr. web log:

Av-test.txt;C:\Documents and Settings\HelpAssistant\Local Settings\Temp;EICAR Test File (NOT a Virus!);Incurable.Moved.;

 

[Bobbye]

Okay, we've been at this for over a month with lapses in between. It won't work to just drop a new log occasionally.

Did the problems ever improve?
What problems are you still having that are malware related?
There are some entries in Combofix that need to be moved, but I'm not going to set that up until I know what's going on.

There is also at large number of globally open ports. That means that any account on the system can pass through those ports. I don't know what they're for or why they're open.

Has use of uTorrent continued in the last month?

 

[anubis202]

Sorry about the time lapses.

I hardly use this computer but when I have been its pretty much only to check this website, facebook, or news sites. The problems did improve but only for a short while. The adwords.onlinesecuregroup redirect started happening aggain to all of the searches on my main user account on this computer. On the guest account no redirects happen so I have been using this one more frequently.

As for the ports, my brother used to play a game on here that required him to open the ports in order to host a match for other players. I don't know how he opened them, so are there any instructions you can post for me in order to close them?

We haven't used uTorrent in probably 6 months.

 

[Broni]

Hi
Bobbye is not present at the moment, due to some family matters, so I'll try to help you out.

Can you post fresh Combofix log for me?

 

[anubis202]

Hello Broni,
Kind regards to Bobbye, I hope everything is alright.

I noticed another problem. When I am typing it seems that every few words my computer won't register a letter that I'm sure I hit.

The combofix log is attached.
Thanks

 

[Broni]

Download and save HelpAsst_mebroot_fix.exe to your desktop.

IMPORTANT! At this point, physically disconnect from the internet (unplug ethernet cable). Do NOT reconnect until I'll tell you to do so.

• Close all open programs.
• Double click HelpAsst_mebroot_fix.exe to run it.
• Pay attention to the running tool.
• If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
• After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:
  • 
    helpasst -mbrt
• When it completes, a log will open.
• Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

• Click Start>Run and copy and paste the following command, then hit Enter:
  • 
    mbr -f
• Repeat the above step one more time
• Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.
• Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.
  • 
    helpasst -mbrt
    
• When it completes, a log will open.
• Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

 

[anubis202]

Ok I ran the helpasst but it didn't find an infection.
The log is attached.

 

[Broni]

Are you still physically disconnected from the internet as I asked before?

 

[anubis202]

Shoot I am conncted now, I had to reconnect to reply. Should I use another computer for intenet?

 

[Broni]

Yes, please.
Disconnect this one and re-run HelpAsst_mebroot_fix.exe.

Have USB flash drive ready, because we'll need it in a moment.