Inactive Sound and QL bar disabling and redirect/popups

Status
Not open for further replies.

ericcothran

Posts: 58   +0
Ok, I ran my tools in safe mode and most of the time they would find something, but when I boot up I still seemed to be infected. My quicklaunch bar disappers and my sound (onboard) becomes disabled. I also have an issue of redirecting (mozilla) Here are the logs of the steps.
 

Attachments

  • gmer.log
    32.2 KB · Views: 4
  • mbam-log-2010-06-20 (09-30-58).txt
    893 bytes · Views: 3
  • DDS.zip
    4.5 KB · Views: 2
  • Attach.zip
    3.1 KB · Views: 2
Please, do NOT zip any logs.


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 

Attachments

  • Attach.txt
    8.9 KB · Views: 0
  • DDS.txt
    14 KB · Views: 2
I believe I did this right, hope it shows a way fix this.
 

Attachments

  • ComboFix-quarantined-files.txt
    6.6 KB · Views: 3
Yeah, Combofix deleted your Notepad for some reason. We'll fix it.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
DEQUARANTINE::
C:\Qoobox\Quarantine\C\WINDOWS\system32\notepad.exe.vir

File::
C:\SZKGFS.dat
c:\documents and settings\NetworkService\flaF.tmp
c:\documents and settings\ericcothran\jar_cache6134322960724077861.tmp
c:\documents and settings\LocalService\fla78.tmp
c:\documents and settings\NetworkService\fla15.tmp
c:\documents and settings\NetworkService\fla14.tmp
c:\documents and settings\ericcothran\~DF996C.tmp
c:\documents and settings\ericcothran\jar_cache2899321965853235821.tmp
c:\documents and settings\NetworkService\fla27.tmp
c:\documents and settings\LocalService\fla63.tmp
c:\documents and settings\LocalService\fla27.tmp
c:\documents and settings\NetworkService\fla16.tmp
c:\documents and settings\NetworkService\fla21.tmp
c:\documents and settings\ericcothran\~DFF3D7.tmp
c:\documents and settings\NetworkService\fla4.tmp
c:\documents and settings\NetworkService\fla5.tmp
c:\documents and settings\ericcothran\~DFCDE6.tmp
c:\documents and settings\LocalService\fla1E.tmp
c:\documents and settings\NetworkService\fla19.tmp
c:\documents and settings\NetworkService\fla32.tmp
c:\windows\system32\config\systemprofile\56.tmp
c:\windows\system32\config\systemprofile\2.tmp
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\Alcmtr.exe


Folder::
c:\documents and settings\All Users\Application Data\SITEguard
c:\program files\Common Files\iS3
c:\documents and settings\All Users\Application Data\STOPzilla!
c:\documents and settings\ericcothran\STOPzilla!


Driver::
IS360service
bvytdppb

NetSvc::
bvytdppb


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=-


RegLockDel::


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
I had to do the edit with wordpad when I type notepad.exe in RUN it tells me "cannot find notepad.exe make sure you have it spelled correctly... So, let me know if I did it right.
 

Attachments

  • ComboFix.txt
    25.1 KB · Views: 2
For some reason, Combofix keeps deleting notepad.exe file.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
DEQUARANTINE::
C:\Qoobox\Quarantine\C\WINDOWS\system32\notepad.exe.vir
QUIT::


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



By now, you should have your Notepad back, but we have to make sure, there is nothing wrong with that file.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:

- c:\windows\system32\notepad.exe

IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
If the result says 0/42, you don't have to post logs.
 
Here's what I got from the link. notepad.exe is there now, but doesn't open. No prompt or anything, just nothing.

File notepad.exe received on 2010.06.22 20:03:12 (UTC)
Antivirus Version Last Update Result
a-squared 5.0.0.30 2010.06.22 -
AhnLab-V3 2010.06.22.02 2010.06.22 -
AntiVir 8.2.2.6 2010.06.22 -
Antiy-AVL 2.0.3.7 2010.06.22 -
Authentium 5.2.0.5 2010.06.22 -
Avast 4.8.1351.0 2010.06.22 -
Avast5 5.0.332.0 2010.06.22 -
AVG 9.0.0.787 2010.06.22 -
BitDefender 7.2 2010.06.22 -
CAT-QuickHeal 10.00 2010.06.22 -
ClamAV 0.96.0.3-git 2010.06.22 -
Comodo 5186 2010.06.22 -
DrWeb 5.0.2.03300 2010.06.22 -
eSafe 7.0.17.0 2010.06.22 Win32.Banker
eTrust-Vet 36.1.7658 2010.06.22 -
F-Prot 4.6.1.107 2010.06.21 -
F-Secure 9.0.15370.0 2010.06.22 -
Fortinet 4.1.133.0 2010.06.22 -
GData 21 2010.06.22 -
Ikarus T3.1.1.84.0 2010.06.22 -
Jiangmin 13.0.900 2010.06.15 -
Kaspersky 7.0.0.125 2010.06.22 -
McAfee 5.400.0.1158 2010.06.22 -
McAfee-GW-Edition 2010.1 2010.06.22 -
Microsoft 1.5902 2010.06.22 -
NOD32 5219 2010.06.22 -
Norman 6.05.10 2010.06.22 -
nProtect 2010-06-22.01 2010.06.22 -
Panda 10.0.2.7 2010.06.22 -
PCTools 7.0.3.5 2010.06.22 -
Prevx 3.0 2010.06.22 -
Rising 22.53.01.04 2010.06.22 -
Sophos 4.54.0 2010.06.22 -
Sunbelt 6489 2010.06.22 -
Symantec 20101.1.0.89 2010.06.22 -
TheHacker 6.5.2.0.302 2010.06.22 -
TrendMicro 9.120.0.1004 2010.06.22 -
TrendMicro-HouseCall 9.120.0.1004 2010.06.22 -
VBA32 3.12.12.5 2010.06.22 -
ViRobot 2010.6.21.3896 2010.06.22 -
VirusBuster 5.0.27.0 2010.06.22 -
Additional information
File size: 69120 bytes
MD5...: 5e28284f9b5f9097640d58a73d38ad4c
SHA1..: 7a90f8b051bc82cc9cadbcc9ba345ced02891a6c
SHA256: 865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5
ssdeep: 1536:bwOnbNQKLjWDyy1o5I0foMJUEbooPRrKKReFX3:RNQKPWDyDI0fFJltZrpR<br>eFX3<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x739d<br>timedatestamp.....: 0x48025287 (Sun Apr 13 18:35:51 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x7748 0x7800 6.28 debcf7299d2aac29b3bca84abd1d18dd<br>.data 0x9000 0x1ba8 0x800 1.15 3fd82fcc3cf0c0692e0e466248ee3fbf<br>.rsrc 0xb000 0x8948 0x8a00 5.41 950dd279a78aefe8be9ae8b129dd928e<br><br>( 9 imports ) <br>&gt; comdlg32.dll: PageSetupDlgW, FindTextW, PrintDlgExW, ChooseFontW, GetFileTitleW, GetOpenFileNameW, ReplaceTextW, CommDlgExtendedError, GetSaveFileNameW<br>&gt; SHELL32.dll: DragFinish, DragQueryFileW, DragAcceptFiles, ShellAboutW<br>&gt; WINSPOOL.DRV: GetPrinterDriverW, ClosePrinter, OpenPrinterW<br>&gt; COMCTL32.dll: CreateStatusWindowW<br>&gt; msvcrt.dll: _XcptFilter, _exit, _c_exit, time, localtime, _cexit, iswctype, _except_handler3, _wtol, wcsncmp, _snwprintf, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, wcsncpy<br>&gt; ADVAPI32.dll: RegQueryValueExW, RegCloseKey, RegCreateKeyW, IsTextUnicode, RegQueryValueExA, RegOpenKeyExA, RegSetValueExW<br>&gt; KERNEL32.dll: GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetLocalTime, GetUserDefaultLCID, GetDateFormatW, GetTimeFormatW, GlobalLock, GlobalUnlock, GetFileInformationByHandle, CreateFileMappingW, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, LoadLibraryA, GetModuleHandleA, GetStartupInfoA, GlobalFree, GetLocaleInfoW, LocalFree, LocalAlloc, lstrlenW, LocalUnlock, CompareStringW, LocalLock, FoldStringW, CloseHandle, lstrcpyW, ReadFile, CreateFileW, lstrcmpiW, GetCurrentProcessId, GetProcAddress, GetCommandLineW, lstrcatW, FindClose, FindFirstFileW, GetFileAttributesW, lstrcmpW, MulDiv, lstrcpynW, LocalSize, GetLastError, WriteFile, SetLastError, WideCharToMultiByte, LocalReAlloc, FormatMessageW, GetUserDefaultUILanguage, SetEndOfFile, DeleteFileW, GetACP, UnmapViewOfFile, MultiByteToWideChar, MapViewOfFile, UnhandledExceptionFilter<br>&gt; GDI32.dll: EndPage, AbortDoc, EndDoc, DeleteDC, StartPage, GetTextExtentPoint32W, CreateDCW, SetAbortProc, GetTextFaceW, TextOutW, StartDocW, EnumFontsW, GetStockObject, GetObjectW, GetDeviceCaps, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SetBkMode, LPtoDP, SetWindowExtEx, SetViewportExtEx, SetMapMode, SelectObject<br>&gt; USER32.dll: GetClientRect, SetCursor, ReleaseDC, GetDC, DialogBoxParamW, SetActiveWindow, GetKeyboardLayout, DefWindowProcW, DestroyWindow, MessageBeep, ShowWindow, GetForegroundWindow, IsIconic, GetWindowPlacement, CharUpperW, LoadStringW, LoadAcceleratorsW, GetSystemMenu, RegisterClassExW, LoadImageW, LoadCursorW, SetWindowPlacement, CreateWindowExW, GetDesktopWindow, GetFocus, LoadIconW, SetWindowTextW, PostQuitMessage, RegisterWindowMessageW, UpdateWindow, SetScrollPos, CharLowerW, PeekMessageW, EnableWindow, DrawTextExW, CreateDialogParamW, GetWindowTextW, GetSystemMetrics, MoveWindow, InvalidateRect, WinHelpW, GetDlgCtrlID, ChildWindowFromPoint, ScreenToClient, GetCursorPos, SendDlgItemMessageW, SendMessageW, CharNextW, CheckMenuItem, CloseClipboard, IsClipboardFormatAvailable, OpenClipboard, GetMenuState, EnableMenuItem, GetSubMenu, GetMenu, MessageBoxW, SetWindowLongW, GetWindowLongW, GetDlgItem, SetFocus, SetDlgItemTextW, wsprintfW, GetDlgItemTextW, EndDialog, GetParent, UnhookWinEvent, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, IsDialogMessageW, PostMessageW, GetMessageW, SetWinEventHook<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (53.1%)<br>Windows Screen Saver (18.4%)<br>Win32 Executable Generic (12.0%)<br>Win32 Dynamic Link Library (generic) (10.6%)<br>Generic Win/DOS Executable (2.8%)
sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: (c) Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: Notepad<br>original name: NOTEPAD.EXE<br>internal name: Notepad<br>file version.: 5.1.2600.5512 (xpsp.080413-2105)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>
 
What happens, when you double click on notepad.exe?

How is your computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

==================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
I can open notepad from RUN menu, but it looks like a .exe in start, programs, acc. I'm also still getting redirects on yahoo search results.
 
They were too big to copy/paste. here are the log files from OTL
 

Attachments

  • OTL.Txt
    78.6 KB · Views: 2
  • Extras.Txt
    33.7 KB · Views: 1
but it looks like a .exe in start, programs, acc.
I'm not sure, if I understand...


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    O4 - HKLM..\Run: [UserFaultCheck]  File not found
    O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -  File not found
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Value error. - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - Reg Error: Key error. File not found
    [2010/06/19 18:19:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ericcothran\e4jBD.tmp_dir10426
    [2010/06/19 18:19:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ericcothran\e4jBB.tmp_dir10377
    [2010/06/19 17:58:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
    [2010/06/19 17:58:15 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
    [2010/04/04 12:59:57 | 000,010,426 | -HS- | M] () -- C:\Documents and Settings\ericcothran\p7Fj0O6C
    [2010/04/04 12:59:56 | 000,010,426 | -HS- | M] () -- C:\Documents and Settings\ericcothran\Local Settings\Application Data\p7Fj0O6C
    [2010/04/04 12:59:56 | 000,010,426 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\p7Fj0O6C
    [2010/06/19 17:58:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
    [2009/10/15 08:02:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ericcothran\Application Data\yactvzvh
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [resethosts]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
I though i posted about this earlier. Today when i tried to log on I got a welcome screen and a logon icon, when i hit th icon i get 'Loading your settings..." then it says "Saving your settings..." and gives me the same log on screen. I even tried in safe mode, but can't find any way around this.
 
after looking the problem up on yahoo i have found everyone that has had this issue has claimed it was a spyware removal program. I can't find my Windows XP disc atm to try to make a repair.
 
Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    • Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.
 
Did you boot from the CD, you just created?
Did you check, if CD drive is listed 1st in BIOS "boot order"?
 
Did the CD drive work before?
I assume, you put the CD in and you restart computer?
Then, after restarting, you should see this message:
"Press any key to boot from CD"
Do you see this message?
 
the CD drive worked. I even get an option on boot up to choose f11 and select which to boot with , the HDD or Cd drive. i did not get any boot from cd message.
 
Status
Not open for further replies.
Back