JP_Auto
Honorary Members-
Posts
21 -
Joined
-
Last visited
Reputation
0 Neutral-
Hi Gringo, Software removed, Donation sent. Thank you so much again for all your help, have a great day!
-
Thank you for your replies and info. In regards to question #1 (removing the trojan in history). It is located under the History Tab and listed as quarantined. All that i need to do is go down to the "detected item box" and check the box beside the virus name, then click remove. I apologize, i should have been more clear, i was only asking if it was OK for me to remove it. Thanks. I will await your instructions for your software removal.
-
Well my good man, you did it. Simple restart didnt resolve the redirects but resetting firefox, then restarting PC,did. I tried about 10 sites and didnt get any redirects. Thank You so much. I did have a few questions before you wrapped this up with your software removal instructions... 1. Am i able to clear that Trojan Win32/Tracur.AU that is in my MSE history? 2. MSE is telling me i havent run a scan in awhile (kinda strange considering thats all i've done this past week). Am i ok to now do so? 3. I must give you a donation for all you have done to resolve this for me. Would you say i am safe to now use sensitive info sites such as paypal? (i am always concerned with backdoor viruses that may have not been completely removed/repaired). 4. Lastly, Is there anyway you are able to tell where this virus came from? Reason i ask is because no one screws around on this computer (atleast they shouldnt be). It is strictly for graphic designs and running a vinyl plotter. Only thing i can think if it came from a font download but if im using a free font site, i only download zip files and scan it before i extract it. I was just wondering if you had any thoughts. Thank you so much, Gringo
-
Computer is still getting google redirects using Firefox. Although, I havent restarted it yet. Not sure if that matters .
-
Hi Gringo, I removed start up entries and ran ESET Scan Here is the log: C:\Qoobox\Quarantine\C\Users\Purcell\acrobatreader.exe.vir Win32/LockScreen.APR trojan C:\Qoobox\Quarantine\C\Users\Purcell\flashplayer.exe.vir Win32/LockScreen.APR trojan C:\Qoobox\Quarantine\C\Users\Purcell\mstsc.exe.vir a variant of Win32/Injector.AHHN trojan C:\Qoobox\Quarantine\C\Users\Purcell\AppData\Roaming\acmsp.dll.vir a variant of Win32/Medfos.QE trojan C:\Qoobox\Quarantine\C\Users\Purcell\AppData\Roaming\srobc.dll.vir a variant of Win32/Medfos.QE trojan
-
Only problem i noticed was when the Terms of Service opened for Hijack This, I instantly received a msg from MS WIndows >> "Synaptics TouchPad Enhancements has stopped working" . Close program was only option, so i did that. Computer seems great, although, i still got a google redirect. The order/names of my attempts are as follow: Malwarebytes >> NO redirect, Etsy >> NO redirect, Pinterest>>THIS CONTENT IS LOCKED BY WEBGAURD (the website name looked like an IP address), Ebay >> NO redirect, Facebook >> NO redirect, Pinterest Again >> NO redirect. Again, not sure if that means anything to you or not, just wanted to give you the details. Thank You
-
HIJACK THIS LOG: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 6:13:59 PM, on 5/31/2013 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.19418) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe C:\Windows\Explorer.EXE C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\notepad.exe C:\Users\Purcell\Desktop\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll R3 - URLSearchHook: YTNavAssist.YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTNavAssist.dll O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\IPSBHO.DLL O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\coIEPlg.dll O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [updateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" O4 - HKLM\..\Run: [updatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" O4 - HKLM\..\Run: [updateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" O4 - HKLM\..\Run: [updatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\coIEPlg.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 9647 bytes
-
Hi Gringo, The info you requested MBAM LOG: Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.05.31.07 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 8.0.6001.19418 Purcell :: PURCELL-PC [administrator] 5/31/2013 5:59:12 PM mbam-log-2013-05-31 (17-59-12).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 227970 Time elapsed: 9 minute(s), 47 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
-
PC seems stable. I still have the Trojan:Win32/Tracur.AU in the quarantined list. I checked processes..No iexplorer processes running! So hopefully thats a plus. Still had a redirect..clicked Ebay site link in google search>>>took me to "best weight loss"...
-
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : Purcell [Admin rights] Mode : Remove -- Date : 05/31/2013 01:24:35 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 6 ¤¤¤ [TASK][sUSP PATH] Update : "C:\Users\Purcell\AppData\Local\Temp\all2that_hastchange.EXE" [x] -> DELETED [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0) [HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[21] : NtAlpcConnectPort @ 0x819FB8A1 -> HOOKED (Unknown @ 0x872C9890) SSDT[78] : NtCreateThread @ 0x81AA2DC8 -> HOOKED (Unknown @ 0x8734A0C0) SSDT[165] : NtLoadDriver @ 0x8197CE12 -> HOOKED (Unknown @ 0x872C9818) SSDT[282] : NtResumeThread @ 0x81A2CC5A -> HOOKED (Unknown @ 0x8734A208) ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD1600BEVT-60ZCT1 ATA Device +++++ --- User --- [MBR] 5a83342323edffadc45fd4f0f3bbd8c5 [bSP] 2ceda49377abb5c8de90bfd3c18981cf : Toshiba MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 142017 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 290852864 | Size: 10606 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[2]_D_05312013_02d0124.txt >> RKreport[1]_S_05312013_02d0122.txt ; RKreport[2]_D_05312013_02d0124.txt
-
TDSSKiller.2.8.16.0_31.05.2013_01.06.17_log.txt
-
Ok, I shut the infected PC down as it has become extremely slow with a constant running fan since this new found trojan that i just mentioned after the last log i posted. I will try and restart and download TDSS Killer. Would you recommend having MSE remove that new trojan first?
-
MSE now shows a name. Trojan:Win32/Tracur.AU. I did not remove yet. Also, taskbar came back but no icons in bottom right other than battery (which was showing dead for approx 5 min) and interent connection computers ( which were showing disconnected for approx 5 min as well).....
-
Just had a message pop up for MSE>>detected threats are being cleaned and it has the rotating arrows in the icon showing its scanning. Not sure what thats about, havent seen that since i first had the virus..task just disappeared now as well. Not showing any threat names tho
-
Still showing the multiple iexplorer processes. Haven't noticed any of the "iexplorer or rundll32 stopped working" messages. Only had 1 redirect. Normally, as a test, i would just type Malwarebytes in google search, click the link to take me to the website and i would be redirected, not the case this time. So then i typed in Etsy, clicked site link and WAS redirected. Then tried Facebook >> no redirect, Ebay >> no redirect...all in that order, The log, as you requested and again thank you.. ========== OTL ========== Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found. Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully. Registry key HKEY_USERS\S-1-5-21-1729434737-3337028257-902342120-1000_Classes\.com\ deleted successfully. Registry key HKEY_USERS\S-1-5-21-1729434737-3337028257-902342120-1000_Classes\ComFile\ not found. HKEY_LOCAL_MACHINE\Software\Classes\.com\\|comfile /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{83466BAB-5D79-4670-B0A9-BF6D5826C53A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83466BAB-5D79-4670-B0A9-BF6D5826C53A}\ not found. C:\ProgramData\~36691704r moved successfully. C:\ProgramData\~36691704 moved successfully. ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Users\Purcell\Desktop\cmd.bat deleted successfully. C:\Users\Purcell\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYJAVA] User: All Users User: Default User: Default User User: Public User: Purcell ->Java cache emptied: 2625621 bytes Total Java Files Cleaned = 3.00 mb [EMPTYFLASH] User: All Users User: Default User: Default User User: Public User: Purcell ->Flash cache emptied: 506 bytes Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 05302013_234814