Inactive Intermittent browser redirect

[selkov]

When I boot my computer and open a browser, run a search on Google - Bing - what ever, right click on a link to open in a tab I get redirected to spam sites. No matter how many tabs I open they all go elsewhere. However if i close the browser, reopen it and rerun the same search with the same results and choose the same links I can now get to them just fine.

All works ok unless I do not use the browser for like an hour then the scenario repeats.

This happens in BOTH IE8 and Firefox 3.6.13.

History: This started happening to my installation of Vista Ultimate. I ran every program I could think of : Vipre Anti Virus, Combo Fix, Malware Bytes, hijack this and several others.

Although everything found something none of them corrected the issue. I installed Windows 7 Ultimate as an upgrade and the issue persisted. I wiped the installation and installed a clean install [Formatted the partition first] and copied back all my , links and favorites from an Acronis BU and the problem is still here.

I think maybe the issue is attached to a Firefox addins as those were the only imported settings I can think of.

Anyway I have 3 more PC's in the hose now that have the same problem.
All have firefox installed.
I think I would like to fix this issue rather than reload all the pc's.

This started just after the last Firefox upgrade.
Also some time you can see and open blank browser flash by that says "GoogleAnyalitics"


Any help would be wonderful.
-Eds

 

[Bobbye]

Welcome to TechSpot!

(Image courtesy animationplayhouse.com)
I'll help with the problem. But I need information to do it:

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
============================================
Once I see the logs, I'll be able to determine the cause of the redirects- hopefully. Since you are running 3 other PCs, if they are all connected to a router, I may have you reset the router, depending on what I see.

I note that you have run several other cleaning programs, unsuccessfully. You have also upgraded to Vista, then Windows 7. You have reformatted and reinstalled. All of this tends to make the problem murky. So I would like you to uninstall as follows:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Also uninstall Malwarebytes and HijackThis. I want fresh, new logs reflecting on the current condition of the system after all the updates, upgrades and reformat.

NOTE: If I determine that you should check all of the computers, I will ask you to start a new thread for each. Please don't do that yet- I can't work on your 4 systems at the same time and help others.

 

[selkov]

Bobbye,
Thanks for your help.
Here are the logs.




Step 1: Antivirus – installed Vipre Premium From Sunbelt-Software. Active and running.
Step 2: TFC Run to completion.
Step 3: Malware Log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5655

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/1/2011 3:01:56 PM
mbam-log-2011-02-01 (15-01-56).txt

Scan type: Quick scan
Objects scanned: 187847
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
c:\Users\EDS\AppData\Local\temp\Rar$EX58.448\key gen.exe (Dont.Steal.Our.Software) -> 2076 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\EDS\AppData\Local\temp\Rar$EX58.448\key gen.exe (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.

Step 4: GMER log

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-01 15:06:30
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-5 WDC_WD1001FALS-00J7B1 rev.05.00K05
Running: GMER imbg95fi.exe; Driver: C:\Users\EDS\AppData\Local\Temp\pgrdapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\tdx \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

---- EOF - GMER 1.0.15 ----

Step 5: DDS

DDS (Ver_10-12-12.02) - NTFSx86
Run by EDS at 15:10:07.53 on Tue 02/01/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3325.2620 [GMT -5:00]

AV: Sunbelt VIPRE *Enabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Sunbelt VIPRE *Enabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
FW: Sunbelt VIPRE *Disabled* {86665057-352D-7810-313F-4F92DEFBC8FA}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Acronis\DiskDirector\OSS\reinstall_svc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\EDS\Desktop\New Folder\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uRun: [RealVNC_vncaddrbook] c:\program files\realvnc\vnc4\vncaddrbook.exe
uRun: [Iconoid] "c:\program files\iconoid\Iconoid.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\eds\appdata\roaming\micros~1\windows\startm~1\programs\startup\hardcopy.lnk - c:\program files\hardcopy\hardcopy.exe
StartupFolder: c:\users\eds\appdata\roaming\micros~1\windows\startm~1\programs\startup\pandora.lnk - c:\program files\pandora\Pandora.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2011-1-22 220760]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2011-1-22 78936]
R2 OS Selector;Acronis OS Selector activator;c:\program files\acronis\diskdirector\oss\reinstall_svc.exe [2010-5-25 2139400]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-8-20 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-6-14 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-8-20 181584]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-10-27 6573568]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-10-27 229888]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2011-1-22 68696]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 176128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-1-23 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-1-23 11104]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2011-1-22 68696]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2011-1-22 94040]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-20 1343400]

=============== Created Last 30 ================

2011-02-01 20:03:33 54016 ----a-w- c:\windows\system32\drivers\firatp.sys
2011-02-01 19:57:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-01 19:57:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-01 19:57:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-01 17:19:41 -------- d-----w- c:\users\eds\appdata\roaming\Avanquest
2011-02-01 17:19:41 -------- d-----w- c:\progra~2\Avanquest
2011-02-01 17:19:31 -------- d-----w- c:\program files\Avanquest
2011-02-01 17:19:03 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-02-01 17:10:45 -------- d-s---w- C:\ComboFix
2011-02-01 15:32:20 -------- d-sh--w- C:\$RECYCLE.BIN
2011-02-01 15:32:14 -------- d-----w- c:\users\eds\appdata\local\temp
2011-02-01 15:27:31 98816 ----a-w- c:\windows\sed.exe
2011-02-01 15:27:31 89088 ----a-w- c:\windows\MBR.exe
2011-02-01 15:27:31 256512 ----a-w- c:\windows\PEV.exe
2011-02-01 15:27:31 161792 ----a-w- c:\windows\SWREG.exe
2011-01-31 21:38:29 -------- d-----w- c:\program files\Hardcopy
2011-01-31 21:38:20 501760 ----a-w- c:\windows\SwSetupu.exe
2011-01-31 13:45:45 -------- d-----w- c:\program files\Registry Easy
2011-01-31 13:22:40 -------- d-----w- c:\program files\NirSoft
2011-01-30 15:34:00 -------- d-----w- c:\users\eds\appdata\roaming\Malwarebytes
2011-01-30 15:33:57 -------- d-----w- c:\progra~2\Malwarebytes
2011-01-30 00:11:12 -------- d-----w- C:\Boot
2011-01-26 23:56:35 -------- d-----w- c:\windows\Acronis
2011-01-25 02:44:37 -------- d-----w- c:\program files\Iconoid
2011-01-25 00:05:10 -------- d-----w- c:\program files\CCleaner
2011-01-23 16:57:22 170080 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-01-23 16:46:09 725064 ----a-w- c:\windows\system32\pwNative.exe
2011-01-23 16:46:08 16472 ------w- c:\windows\system32\pwdrvio.sys
2011-01-23 16:46:03 11104 ------w- c:\windows\system32\pwdspio.sys
2011-01-23 16:34:56 -------- d-----w- c:\program files\MSXML 4.0
2011-01-23 16:29:19 -------- d-----w- c:\users\eds\appdata\local\NeoSmart_Technologies
2011-01-23 16:27:35 -------- d-----w- c:\program files\NeoSmart Technologies
2011-01-22 21:09:23 -------- d-----w- c:\progra~2\ODIR
2011-01-22 21:08:19 209608 ----a-w- c:\windows\system32\Tabctl32.ocx
2011-01-22 21:08:19 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-01-22 21:08:19 -------- d-----w- c:\program files\ODIR
2011-01-22 20:56:21 -------- d-----w- c:\users\eds\appdata\roaming\Sunbelt
2011-01-22 20:56:21 -------- d-----w- c:\progra~2\Sunbelt
2011-01-22 20:49:18 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
2011-01-22 20:49:14 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
2011-01-22 20:48:42 68696 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2011-01-22 20:48:42 220760 ----a-w- c:\windows\system32\drivers\SbFw.sys
2011-01-22 20:48:39 -------- d-----w- c:\program files\Sunbelt Software
2011-01-22 20:40:42 -------- d-----w- c:\users\eds\appdata\roaming\MAPILab Ltd
2011-01-22 20:40:40 -------- d-----w- c:\program files\MAPILab Ltd
2011-01-22 20:30:18 -------- d-----w- c:\windows\Downloaded Installations
2011-01-22 20:14:01 -------- d-----w- c:\users\eds\appdata\roaming\com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1
2011-01-22 20:14:00 -------- d-----w- c:\program files\Pandora
2011-01-22 20:06:29 -------- d-----w- c:\program files\common files\MAPILab Ltd
2011-01-22 20:05:43 -------- d-----w- c:\users\eds\appdata\local\Downloaded Installations
2011-01-21 23:04:19 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-01-21 23:04:14 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{83185f68-eb5c-4e4b-96fa-9eb276f809a9}\mpengine.dll
2011-01-21 04:59:25 -------- d-----w- c:\windows\system32\appmgmt
2011-01-21 04:50:56 -------- d-----w- c:\users\eds\appdata\local\Relief_Software
2011-01-21 04:38:26 -------- d-----w- c:\users\eds\appdata\local\OutlookFreeware.com
2011-01-21 03:16:24 30568 ----a-w- c:\windows\system32\mdimon.dll
2011-01-21 03:16:24 30512 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2011-01-21 03:16:10 -------- d-----w- c:\users\eds\appdata\local\ElevatedDiagnostics
2011-01-21 03:15:20 -------- d-----w- c:\windows\PCHEALTH
2011-01-21 03:12:54 -------- d-----w- c:\users\eds\appdata\local\Microsoft Help
2011-01-21 03:05:47 -------- d-----w- c:\program files\Elaborate Bytes
2011-01-21 02:59:29 -------- d-----w- c:\users\eds\appdata\roaming\RealVNC
2011-01-21 02:51:49 -------- d-----w- c:\program files\MagicISO
2011-01-21 02:44:47 -------- d-----w- c:\users\eds\appdata\local\Mozilla
2011-01-21 02:39:59 -------- d-----w- c:\users\eds\appdata\local\Adobe
2011-01-21 02:34:28 90624 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HPZPPWN7.DLL
2011-01-21 01:56:49 0 ----a-w- c:\windows\ativpsrm.bin
2011-01-21 01:54:08 -------- d-----w- c:\windows\Panther
2011-01-21 01:17:41 26112 ----a-w- c:\windows\system32\VNCpm.dll
2011-01-21 01:17:32 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2011-01-21 01:17:32 20992 ----a-w- c:\windows\system32\vncmirror.dll
2011-01-21 01:17:31 -------- d-----w- c:\program files\RealVNC
2011-01-20 23:52:10 -------- d-----w- c:\program files\LSI SoftModem
2011-01-20 23:51:10 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2011-01-20 23:44:13 -------- d-sh--w- c:\windows\Installer
2011-01-20 23:36:19 -------- d-----w- c:\windows\system32\Wat
2011-01-20 23:34:33 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-01-20 23:33:45 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-01-20 23:33:45 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-01-20 23:33:45 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-01-20 23:33:45 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-01-20 23:33:45 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-01-20 23:24:14 987136 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-01-20 23:24:14 573440 ----a-w- c:\windows\system32\odbc32.dll
2011-01-20 23:24:14 372736 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-01-20 23:24:14 352256 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-01-20 23:24:14 208896 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-01-20 23:24:08 292864 ----a-w- c:\windows\system32\apphelp.dll
2011-01-20 23:24:06 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-01-20 23:24:06 1619968 ----a-w- c:\program files\windows mail\msoe.dll
2011-01-20 23:24:04 1233920 ----a-w- c:\windows\system32\msxml3.dll
2011-01-20 23:24:02 37376 ----a-w- c:\windows\system32\rtutils.dll
2011-01-20 23:24:01 224256 ----a-w- c:\windows\system32\schannel.dll
2011-01-20 23:23:58 1286456 ----a-w- c:\windows\system32\ntdll.dll
2011-01-20 23:23:54 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-01-20 23:23:54 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-01-20 23:23:52 34816 ----a-w- c:\windows\system32\msasn1.dll
2011-01-20 23:23:47 530432 ----a-w- c:\windows\system32\comctl32.dll
2011-01-20 23:23:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2011-01-20 23:23:38 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-01-20 23:22:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 23:20:47 2327552 ----a-w- c:\windows\system32\win32k.sys
2011-01-20 23:15:14 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-01-20 23:12:00 -------- d-----w- c:\windows\system32\wbem\Performance
2011-01-20 23:05:28 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-01-20 23:05:28 132608 ----a-w- c:\windows\system32\cabview.dll

==================== Find3M ====================

2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 15:10:46.53 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume8
Install Date: 1/20/2011 6:04:10 PM
System Uptime: 2/1/2011 2:48:50 PM (1 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA790FXT-UD5P
Processor: AMD Phenom(tm) II X4 955 Processor | Socket M2 | 3200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 402 GiB total, 383.107 GiB free.
D: is FIXED (NTFS) - 50 GiB total, 22.032 GiB free.
E: is FIXED (NTFS) - 85 GiB total, 52.12 GiB free.
F: is FIXED (NTFS) - 50 GiB total, 9.07 GiB free.
G: is FIXED (NTFS) - 10 GiB total, 3.407 GiB free.
H: is FIXED (NTFS) - 50 GiB total, 45.72 GiB free.
I: is FIXED (NTFS) - 28 GiB total, 13.534 GiB free.
J: is FIXED (NTFS) - 104 GiB total, 81.655 GiB free.
K: is FIXED (NTFS) - 103 GiB total, 84.561 GiB free.
L: is CDROM ()
M: is FIXED (NTFS) - 50 GiB total, 36.866 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP28: 1/26/2011 7:54:30 PM - Scheduled Checkpoint
RP1: 1/27/2011 7:12:28 PM - Windows Update
RP2: 1/27/2011 9:03:43 PM - Windows Update
RP3: 1/28/2011 3:00:25 AM - Windows Update
RP4: 1/28/2011 3:14:31 AM - Windows Update
RP5: 1/28/2011 7:17:01 AM - Windows Update
RP6: 1/29/2011 9:09:57 AM - Device Driver Package Install: Elaborate Bytes AG Storage controllers
RP29: 2/1/2011 10:27:43 AM - ComboFix created restore point
RP30: 2/1/2011 12:19:22 PM - Installed PowerDesk 7

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Acronis Disk Director Home
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X
CCleaner
EasyBCD 2.0
Hardcopy (C:\Program Files\Hardcopy)
Iconoid version 3.8.6
LSI USB 2.0 Soft Modem
Magic ISO Maker v5.5 (build 0281)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
ODIR
Pandora
PowerDesk 7
Registry Easy v5.6
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2483110)
VIPRE Antivirus Premium
VirtualCloneDrive
VNC Enterprise Edition E4.6.0
VNC Mirror Driver 1.8.0
VNC Printer Driver 1.7.0
WinRAR 4.00 beta 4 (32-bit)

==== Event Viewer Messages From Past Week ========

2/1/2011 2:51:33 PM, Error: Service Control Manager [7034] - The AMD External Events Utility service terminated unexpectedly. It has done this 1 time(s).
2/1/2011 2:49:28 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/1/2011 2:49:28 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
2/1/2011 10:31:13 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

==== End Of File ===========================

 

[selkov]

Comments please?

 

[Bobbye]

My internet connection was down from Tuesday night to this morning. I'll be catching up, but I do have some threads before you.

There are some entries in Combofix that I have to identify, but please do the following:

Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
  in your next reply.

As far as I can tell, the following 2 entries work together to delete hardcopy- is that correct? What hardcopy?
2011-01-31 21:38:29 -------- d-----w- c:\program files\Hardcopy
2011-01-31 21:38:20 501760 ----a-w- c:\windows\SwSetupu.exe
HardCopy being a screen capture utility. I was not able to ID SwSetupu.exe on any safe site.

Regarding c:\program files\Registry Easy. Most of us do not recommend using a Registry Cleaner. IF you decide to keep this, backup the Registry before using and be careful with removals.
===========================-
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[selkov]

No problems.
I appreciate your support, was just concerned that you might have been real busy and missed me.

AS for "SwSetupu.exe" I do not remember what utility installs it but i think it is Hard copy I do not think this is a new issue. I remember Identifying this in the past and it does installed with a trusted software package.


CKScanner - Additional Security Risks - These are not necessarily bad

scanner sequence 3.FF.11
----- EOF -----



NOD32
C:\Program Files\Registry Easy\Recoveryer.dll Win32/Adware.RegistryEasy application
C:\Program Files\Registry Easy\RegEasyCleaner.exe a variant of Win32/Adware.RegistryEasy application
C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix.exe multiple threats
C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\Process.exe Win32/PrcView application
C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\restart.exe Win32/Shutdown.NAA application
E:\ANGRY IP.exe Win32/NetTool.Portscan.C application
E:\SmitfraudFix.exe multiple threats
E:\ TORRENTS\D O N E\Xilisoft.iPod.Rip.v2.1.41.0104.Incl.Keygen-Lz0.rar a variant of Win32/Mehpet.A trojan
E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Advanced.Windows.Password.Recovery.3.5.1.incl.serial.rar Win32/PassRecovery application
E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.Password.Auditor.v1.61.incl.crack.rar probably a variant of Win32/Agent.LRKDMTB trojan
E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.System.Password.Recovery.v4.1.rar Win32/PassRecovery application
E:\ TORRENTS\D O N E\Elcomsoft Password Recovery Suit [Portable]\Elcomsoft Password Recovery Suit [Portable].rar Win32/PassRecovery application
E:\ TORRENTS\D O N E\Elcomsoft Password Recovery Suit [Portable]\Advanced Windows Password Recovery\AWPR.exe Win32/PassRecovery application
E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial.rar a variant of Win32/Olmarik.AHY trojan
E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial\Setup\ sdsetup.exe a variant of Win32/Olmarik.AHY trojan
E:\HALO\CheatEngine53.exe multiple threats


Awaiting Further Directions.

 

[Bobbye]

It is difficult for me to understand why, after I pointed piracy out to you, that you went right back and did it again!!!

TORRENTS mean file sharing and serial means piracy!

E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial\Setup\ sdsetup.exe a variant of Win32/Olmarik.AHY trojan

Spyware Doctor 2011 offers a Free Trial, then $29.95 to buy

When you download a serial/crack/keygen to unlock a program instead of paying for it, you are stealing the program. That is called piracy.

What part of that do you not understand?

Support is withdrawn and this thread is closed.

 

[Bobbye]

Thread is being reactivated at member's request. Hopefully source of repeated piracy will be controlled. Go ahead and run the following> I'm gathering some information on what was downloaded, to give you a better idea of what you are dealing with.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\Program Files\Registry Easy\Recoveryer.dll 
  C:\Program Files\Registry Easy\RegEasyCleaner.exe 
  C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix.
  C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\Process.exe 
  C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\restart.exe 
  E:\ANGRY IP.exe 
  E:\SmitfraudFix.exe 
  E:\ TORRENTS\D O N E\Xilisoft.iPod.Rip.v2.1.41.0104.Incl.Keygen-Lz0.rar 
  E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Advanced.Windows.Password.Recovery.3.5.1.incl.serial.rar 
  E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.Password.Auditor.v1.61.incl.crack.rar 
  E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.System.Password.Recovery.v4.1.rar Win32/PassRecovery application
  E:\ TORRENTS\D O N E\Elcomsoft Password Recovery Suit [Portable]\Advanced Windows Password Recovery\AWPR.exe 
  E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial.rar a 
  E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial\Setup\ sdsetup.exe 
  E:\HALO\CheatEngine53.exe 
  
  :Commands
  [purity]
  emptytempp]
  [start explorer]
  [Reboot]

• Return toOTMoveItt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red [bMoveitt![/b] button.
• A log of files and folders moved will be created in the c:_OTMoveIttMovedFiless folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close [bOTMoveItt3[/b]

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[selkov]

Error: Unable to interpret <C:\Program Files\Registry Easy\Recoveryer.dll > in the current context!
Error: Unable to interpret <C:\Program Files\Registry Easy\RegEasyCleaner.exe > in the current context!
Error: Unable to interpret <C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix.> in the current context!
Error: Unable to interpret <C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\Process.exe > in the current context!
Error: Unable to interpret <C:\Users\EDS\Desktop\New Folder\SmitfraudFix\SmitfraudFix\restart.exe > in the current context!
Error: Unable to interpret <E:\ANGRY IP.exe > in the current context!
Error: Unable to interpret <E:\SmitfraudFix.exe > in the current context!
Error: Unable to interpret <E:\ TORRENTS\D O N E\Xilisoft.iPod.Rip.v2.1.41.0104.Incl.Keygen-Lz0.rar > in the current context!
Error: Unable to interpret <E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Advanced.Windows.Password.Recovery.3.5.1.incl.serial.rar > in the current context!
Error: Unable to interpret <E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.Password.Auditor.v1.61.incl.crack.rar > in the current context!
Error: Unable to interpret <E:\ TORRENTS\D O N E\ P R O G R A M S\ElcomSoft.AIO\Proactive.System.Password.Recovery.v4.1.rar Win32/PassRecovery application> in the current context!
Error: Unable to interpret <E:\ TORRENTS\D O N E\Elcomsoft Password Recovery Suit [Portable]\Advanced Windows Password Recovery\AWPR.exe > in the current context!
Error: Unable to interpret <E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial.rar a > in the current context!
Error: Unable to interpret <E:\ TORRENTS\D O N E\Spyware Doctor 2011 v8.0.0.606 With Serial\Spyware Doctor 2011 v8.0.0.606 With Serial\Setup\ sdsetup.exe > in the current context!
Error: Unable to interpret <E:\HALO\CheatEngine53.exe > in the current context!

OTM by OldTimer - Version 3.1.17.2 log created on 02052011_143844

 

[Bobbye]

Wait until tomorrow- I'll move them with script through Combofix.

Did you find out what the E Drive is? Could it have been a flash drive that was connected at the time of the scan?

And I have Notepad going to gather the causes of the mischief with the pirated programs. One of the processes downloaded is a port scanner:
A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.

Put the port scanner together with the password recovery app and I see the potential for doing things and going places that should not be available!

 

[selkov]

I think I solved the Issue.

Oddly enough I do not believe i actually had a hijack.
Even though it acted like the Browser re-direct virus.

I simply changed the primary and Secondary DNS #'s that were in the router [provided by my ISP ?] and the problem went away. I am now on the OPEN DNS #'s and have no issues at all.

I did not confirm that the programed #'s were the actual ones that my ISP provided but I am unaware of any virus that could change them at my router. So I assume it is their DNS where the issue is.


As for the torrents.
I have deleted them and uninstalled any programs that were related to them.
I have also deleted any folders that remained after rebooting.

What other steps should I take to clean them off my pc?

 

[Bobbye]

Oddly enough I do not believe i actually had a hijack.
Even though it acted like the Browser re-direct virus.

There really isn't much difference. For instance, how would you define a browser hijack vs a redirect?

It "sounds like" you had a DSN Changer malware infection. This requires a DSN Flush followed by router reset/

You never did reply to my question asking what the E Drive was. But whoever was using it was making attempts to get passwords as well as looking for open ports.

I don't think anything has been done to actually remove the malware, since OTM failed, but if you think the problem has been resolved and want to clean up:
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  Creating a Restore Point in Windows 7:
  • Click on Start> right click on Computer> Properties
  • Select System Protection
  • Click on the Create button (near bottom)
  • Type a name for the Restore Point
  • Click on Create again to save the restore point.
  
  Deleting all but the most recent System Protection point in Windows 7
  1. Click Start> Computer> right click the C Drive and choose Properties> enter.
  2. Click Disk Cleanup from there.
     
     
  3. Click Clean up system files
     This restarts Disk Cleanup to run in elevated mode.
  4. Click the More Options tab
     
     
  5. Click the Clean up under System Restore and Shadow Copies.
  6. Click OK.
  7. You will get a confirmation screen> Just click Delete.
  8. Click OK on the Disk Cleanup Screen.
  9. Click Delete Files on the Confirmation screen.
  
  
  It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
  Images courtesy lytebyte.
  
  Empty the Recycle Bin