Jump to content

Given a hand-me-down laptop with IE getting redirected


Recommended Posts

When I first received this laptop, my mom no longer wanted it because her boot file had been corrupted, so it wouldn't start up. My dad bought her a new one for Christmas, so once I fixed the issue with the boot file, the computer became mine. However, my Mom had run this computer for years with no form of virus protection or malware protection (her line of thought was "Well, if I've done it before, then it can't be that bad). Needless to say, once it was mine I immediately installed Avast and Malwarebytes. I ran Malwarebytes fine, but Avast froze before finishing. Now this computer usually freezes after no more than 5 hours, no matter what I'm doing on it, so I thought nothing of it freezing during Avast running, especially since Avast got to 99% done with no real problems. I had a thread at Majorgeeks to help speed it up, though its been almost 2 weeks with no response (also, they didnt find any malware when we went through that step. Today I tried to download a video off of mediafire, and instead was redirected to www.dowloadfileshere.com which tried to trick me into downloading api Downloader. I'm not sure what/how bad this infection is, but this is the first time in 2 weeks of use that I've even seen a redirect (well, maybe not, I thought I just mis clicked once or twice before, but still, it's subtle).

Here's the MBAM log:

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.17.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Me :: DEB [administrator]

1/17/2013 4:14:09 PM

mbam-log-2013-01-17 (16-14-09).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 228852

Time elapsed: 19 minute(s), 50 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Here's DDS.txt:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.11.2

Run by Me at 16:34:46 on 2013-01-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.289 [GMT -5:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: avast! Antivirus *Disabled*

.

============== Running Processes ================

.

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\stacsv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Me\Local Settings\Application Data\AOL\AIM\aim.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\notepad.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uURLSearchHooks: {00000000-6E41-4FD3-8538-502F5495E5FC} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AIM for Windows] "c:\documents and settings\me\local settings\application data\aol\aim\aim.exe"

uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [iDTSysTrayApp] sttray.exe

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [WorkFlo] d:\brdjmp\WorkFlow.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{BFE6E208-142D-46DB-A49C-00F80484DDEB} : DHCPNameServer = 192.168.0.1

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-9 738504]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-8-9 361032]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-8-9 21256]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-8-9 44808]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-12-14 398184]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-12-14 682344]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 21104]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-1-17 40776]

.

=============== Created Last 30 ================

.

2013-01-17 21:10:52 645632 ----a-w- c:\windows\system32\xvidcore.dll

2013-01-17 21:10:52 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2013-01-17 21:10:52 153088 ----a-w- c:\windows\system32\xvid.ax

2013-01-17 21:10:44 -------- d-----w- c:\program files\Xvid

2013-01-17 20:59:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-01-15 03:41:32 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-01-15 03:34:09 -------- d-s---w- c:\windows\system32\%USERPROFILE%

2013-01-11 20:00:16 -------- d-----w- c:\documents and settings\me\local settings\application data\PCHealth

2013-01-01 14:14:48 -------- d-----w- c:\program files\CCleaner

2013-01-01 04:27:39 -------- dc----w- C:\MGtools

2013-01-01 04:18:20 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro

2013-01-01 03:48:32 1897963 -c--a-w- C:\MGtools.exe

2013-01-01 03:44:26 -------- d-----w- c:\documents and settings\me\application data\MSNInstaller

2013-01-01 00:34:11 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll

2012-12-27 00:55:43 -------- d-----w- c:\documents and settings\me\local settings\application data\AOL

2012-12-27 00:55:42 -------- d-----w- c:\program files\common files\Software Update Utility

2012-12-26 02:18:46 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll

2012-12-26 02:17:51 57398 -c--a-w- c:\windows\system32\dllcache\imjpdadm.exe

2012-12-26 02:17:50 45109 -c--a-w- c:\windows\system32\dllcache\imjpuex.exe

2012-12-26 02:17:45 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll

2012-12-26 02:17:45 6656 ----a-w- c:\windows\system32\c_is2022.dll

.

==================== Find3M ====================

.

2013-01-11 19:58:46 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-01-11 19:58:44 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-06 02:01:39 1371648 ----a-w- c:\windows\system32\msxml6.dll

2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec

2012-10-30 23:51:58 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-10-30 23:51:07 41224 ----a-w- c:\windows\avastSS.scr

2012-10-28 14:57:58 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-10-28 14:57:58 746984 ----a-w- c:\windows\system32\deployJava1.dll

.

============= FINISH: 16:35:52.94 ===============

attach.txt

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Oh forgot to mention some of my symptoms:

Ever since I got the pc, its run slowly, however the longer it's been on, the more slowly it runs. At a certain point, it tells me the minimum size of the paging file is too small, and that windows is increasing the paging size. Finally, once the computer needs a restart, I start getting errors saying "Out of memory at line 7" or similar things.

Here's the Roguekiller report:

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Me [Admin rights]

Mode : Scan -- Date : 01/17/2013 21:59:32

¤¤¤ Bad processes : 1 ¤¤¤

[sUSP PATH] aim.exe -- C:\Documents and Settings\Me\Local Settings\Application Data\AOL\AIM\aim.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : AIM for Windows ("C:\Documents and Settings\Me\Local Settings\Application Data\AOL\AIM\aim.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-842925246-2000478354-682003330-1003[...]\Run : AIM for Windows ("C:\Documents and Settings\Me\Local Settings\Application Data\AOL\AIM\aim.exe") -> FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK8032GSX +++++

--- User ---

[MBR] 3a76d3cc62ecb31315051826e0c36f2d

[bSP] 0865dbc3033a5b0d1557ae0b87d99f0b : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 74873 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_S_01172013_02d2159.txt >>

RKreport[1]_S_12312012_02d2257.txt ; RKreport[2]_S_01172013_02d2159.txt

Link to post
Share on other sites

OK, lets run some scans............

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.