Solved Redirects/Pop-Ups/Host Services Being Stopped

[ZombieTarget]

Greetings!

Firstly, let me apologize right off the bat for posting what seems like the millionth post in this forum with this exact problem. I just wish it had a uniform, blanket fix, lol. I normally wouldn't, but I'm not sure where else to turn.

I got the latest iteration of the Antivirus Soft virus/malware on June 1st, and went through all the steps recommended to get rid of it. I've managed to remove the virus package (or so I thought) pretty quickly, however, it seems like it managed to screw up a lot of stuff deep inside my system.

Firstly, search engine results take me to random advert sites, which is not surprising. Additionally, I get random pop-ups - sometimes even when I'm sitting idly by online (Yes, I use Firefox). To add on to the pile, while my computer is up and running, I'll see messages about various Host Services stopping, for what seems like no good reason.

So, I come to this forum in dire need of help. Everyone seems very helpful here, and I sure hope I can get my laptop back in working order! I'll post my log files here with the message.

Thanks for any and all help that comes my way.

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[ZombieTarget]

Here are the logs, as requested. However, in Step 3, I could not complete the step for Windows Updates. This infection has disabled all connection requests to Microsoft/Windows sites, both in-browser and via automatic updates.
-----------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4165

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

6/8/2010 9:02:36 AM
mbam-log-2010-06-08 (09-02-36).txt

Scan type: Quick scan
Objects scanned: 124454
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-08 09:22:12
Windows 6.0.6002 Service Pack 2
Running: y939wg53.exe; Driver: C:\Users\Don\AppData\Local\Temp\pwldapow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8EE1CAC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8EE1C8EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8EE1CA24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 81D72DF0 7 Bytes JMP 8EE1CA28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81DDE28F 5 Bytes JMP 8EE18536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 81E37038 5 Bytes JMP 8EE19EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 81E388C3 7 Bytes JMP 8EE1C8EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 81E98892 7 Bytes JMP 8EE1CACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8D804320, 0x3F5147, 0xE8000020]
? system32\drivers\WPRO_40_1340.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[816] ntdll.dll!NtProtectVirtualMemory 77CA4D34 5 Bytes JMP 0025000A
.text C:\Windows\Explorer.EXE[816] ntdll.dll!NtWriteVirtualMemory 77CA5674 5 Bytes JMP 0026000A
.text C:\Windows\Explorer.EXE[816] ntdll.dll!KiUserExceptionDispatcher 77CA5DC8 5 Bytes JMP 0024000A
.text C:\PROGRA~1\Raptr\raptr.exe[1708] USER32.dll!WindowFromPoint 7758884F 5 Bytes JMP 07B81A38
.text C:\PROGRA~1\Raptr\raptr.exe[1708] USER32.dll!ShowWindow 7758CA10 5 Bytes JMP 07B84A50
.text C:\PROGRA~1\Raptr\raptr.exe[1708] USER32.dll!SetWindowPos 775935E3 5 Bytes JMP 07B86A60
.text C:\PROGRA~1\Raptr\raptr.exe[1708] USER32.dll!DestroyWindow 77597FB6 5 Bytes JMP 07B85A58
.text C:\PROGRA~1\Raptr\raptr.exe[1708] USER32.dll!DispatchMessageA 77598B6D 5 Bytes JMP 07B82A40
.text C:\PROGRA~1\Raptr\raptr.exe[1708] USER32.dll!DispatchMessageW 775A021C 5 Bytes JMP 07B83A48
.text C:\PROGRA~1\Raptr\raptr.exe[1708] USER32.dll!GetCursorPos 775A0B88 5 Bytes JMP 07B88A70
.text C:\PROGRA~1\Raptr\raptr.exe[1708] USER32.dll!AnimateWindow 775AA52D 5 Bytes JMP 07B87A68
.text C:\PROGRA~1\Raptr\raptr.exe[1708] GDI32.dll!BitBlt 766B70A6 5 Bytes JMP 07B80A30

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[612] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
IAT C:\Windows\system32\services.exe[612] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
Device \FileSystem\fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\BTHUSB \Device\00000070 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000070 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 dvd43llh.sys (dvd43llh.sys/RIF)
Device \Driver\atapi \Device\Ide\IdePort0 dvd43llh.sys (dvd43llh.sys/RIF)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\BTHUSB \Device\0000006e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000006e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\Windows\system32\rpcnet.exe (*** hidden *** ) @ C:\Windows\system32\rpcnet.exe [4036] 0x00400000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1f16272
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1f16272@002568f29ca2 0xB6 0x47 0x1F 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDC 0xF5 0xD6 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6D 0x65 0xAA 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBF 0xEE 0x1F 0x22 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1f16272 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1f16272@002568f29ca2 0xB6 0x47 0x1F 0x07 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDC 0xF5 0xD6 0x05 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6D 0x65 0xAA 0x18 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBF 0xEE 0x1F 0x22 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogName C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy170.gthr

---- EOF - GMER 1.0.15 ----

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[ZombieTarget]

Please find attached a copy of C:/ComboFix.txt

 

[Broni]

How is redirection issue?

You're running two AV programs, Avast and MSE. One of them has to go. Your choice.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[ZombieTarget]

Redirects have ceased.

Please find attached a copy of C:\ComboFix.txt generated when using the CFScript.txt file.

 

[Broni]

Very good

Did you?

You're running two AV programs, Avast and MSE. One of them has to go. Your choice.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=====================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

 

[ZombieTarget]

I'm sorry, yes, I did get rid of one of the programs. Avast! was removed.

Here are the Kaspersky and HijackThis reports, as requested.

 

[Broni]

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
C:\Users\Don\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c5dbd33\Report.cab
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[ZombieTarget]

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Users\Don\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c5dbd33\Report.cab moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Don
->Temp folder emptied: 108826176 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 61254086 bytes
->Flash cache emptied: 827 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5022 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 790 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 162.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06092010_150230

Files moved on Reboot...

Registry entries deleted on Reboot...

 

[Broni]

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[ZombieTarget]

I cannot thank you enough for all of your help. My computer is virus-free and working like brand new! I have installed Web of Trust, and will be referencing the article about how people get infected for a loooooooong time.

I'd like to know if you guys accept donations, because service like this deserves to be recognized.

 

[Broni]

Way to go!!

Good luck and stay safe

I'm not sure about donations. You'd have to PM one of staff members...