MrCharlie Posted March 26, 2013 ID:661076 Share Posted March 26, 2013 Please find these files and upload to VirusTotal for a free scan, let me know the results (just copy back the url)http://www.virustotal.com/c:\windows\Tasks\AutoKMSDaily.jobc:\windows\AutoKMS\AutoKMS.exeMrC Link to post Share on other sites More sharing options...
macr8e Posted March 26, 2013 Author ID:661275 Share Posted March 26, 2013 Do not have permission to open c:\windows\Tasks\AutoKMSDaily.jobHere is the scan for c:\windows\AutoKMS\AutoKMS.exehttps://www.virustotal.com/en/file/495a9347398f958d1b530f642425f1b71ea1bcedddd7ba76f301feb0510852a3/analysis/1364333065/ Link to post Share on other sites More sharing options...
macr8e Posted March 26, 2013 Author ID:661286 Share Posted March 26, 2013 Have another issue I was directed to run by you.When I do a google search, click on the link, I'm usually sent to a site completely unrelated. I usually have to cut and paste the address into my browser. Is this a malware problem? Link to post Share on other sites More sharing options...
MrCharlie Posted March 26, 2013 ID:661324 Share Posted March 26, 2013 The redirect is a problem and malware related.As you saw by the VirusTotal report these are malware and may have been used to activate MS Office.c:\windows\Tasks\AutoKMSDaily.jobc:\windows\AutoKMS\AutoKMS.exeThey have to be deleted:Using ComboFix......1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the quotebox below into it:4. If ComboFix wants to update.....please allow it to.File::c:\windows\Tasks\AutoKMSDaily.jobc:\windows\AutoKMS\AutoKMS.exeFolder::c:\windows\AutoKMSClearJavaCache::Save this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeCAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.After reboot, (in case it asks to reboot)......Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.MrC Link to post Share on other sites More sharing options...
macr8e Posted March 27, 2013 Author ID:661350 Share Posted March 27, 2013 I don't know what I'm doing wrong but this is not working as easy as you explain. When connecting to combofix it does not ask me to save, it is sitting in my Downloads file. Link to post Share on other sites More sharing options...
MrCharlie Posted March 27, 2013 ID:661351 Share Posted March 27, 2013 You should already have it on the system.The link below may help to change the download location:http://www.sevenforums.com/tutorials/112232-internet-explorer-change-default-download-location.htmlMrC Link to post Share on other sites More sharing options...
macr8e Posted March 27, 2013 Author ID:661355 Share Posted March 27, 2013 My default browser is Firefox. Link to post Share on other sites More sharing options...
MrCharlie Posted March 27, 2013 ID:661357 Share Posted March 27, 2013 I don't use FF but this should help:http://www.sevenforums.com/tutorials/154852-firefox-change-default-download-save-location.htmlMrC Link to post Share on other sites More sharing options...
macr8e Posted March 27, 2013 Author ID:661370 Share Posted March 27, 2013 AttachedComboFix.txt Link to post Share on other sites More sharing options...
MrCharlie Posted March 27, 2013 ID:661493 Share Posted March 27, 2013 How is it ?? MrC Link to post Share on other sites More sharing options...
macr8e Posted March 28, 2013 Author ID:662230 Share Posted March 28, 2013 Not getting the pop up warning anymore. Still having google search issues. Now getting this (see attached). Link to post Share on other sites More sharing options...
macr8e Posted March 29, 2013 Author ID:662235 Share Posted March 29, 2013 Have to cut and paste url address. Link to post Share on other sites More sharing options...
MrCharlie Posted March 29, 2013 ID:662237 Share Posted March 29, 2013 Run another OTL scan and post the new log:Please download OTL from one of the links below:http://oldtimer.geekstogo.com/OTL.exehttp://www.itxassociates.com/OT-Tools/OTL.exehttp://oldtimer.geekstogo.com/OTL.com (<---renamed version)Save it to your desktop.Double click on the icon on your desktop.Click the Scan All Users checkbox.Push the Quick Scan button.The scan will take about 10 minutes...depends on your hard drive size.Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedMrC Link to post Share on other sites More sharing options...
macr8e Posted March 29, 2013 Author ID:662241 Share Posted March 29, 2013 scan attached. Pop up coming up again.OTL.Txt Link to post Share on other sites More sharing options...
MrCharlie Posted March 29, 2013 ID:662242 Share Posted March 29, 2013 What pop-up?? Link to post Share on other sites More sharing options...
macr8e Posted March 29, 2013 Author ID:662243 Share Posted March 29, 2013 The original problemSuccessfully blocked access to a potentially malicious website 46.183.217.245Type: outgoingProcess: rundl1132.exe Link to post Share on other sites More sharing options...
MrCharlie Posted March 29, 2013 ID:662244 Share Posted March 29, 2013 The pop-up may just be Malwarebytes doing its job.You can try re-install Firefox or resetting it back to defaults:http://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems MrC Link to post Share on other sites More sharing options...
macr8e Posted March 29, 2013 Author ID:662262 Share Posted March 29, 2013 Updated to newest version of Firefox, Still frequently getting redirected through google links. Do I need to rerun combofix? What is rundl1132.exe anyway? Link to post Share on other sites More sharing options...
MrCharlie Posted March 29, 2013 ID:662394 Share Posted March 29, 2013 Here's some info on rundll32.exe:http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/http://www.liutilities.com/products/wintaskspro/processlibrary/rundll32/------------------------------------------Does any of your other browsers redirect?MrC Link to post Share on other sites More sharing options...
macr8e Posted March 30, 2013 Author ID:662648 Share Posted March 30, 2013 Internet explorer also. Link to post Share on other sites More sharing options...
MrCharlie Posted March 30, 2013 ID:662664 Share Posted March 30, 2013 Delete your copy of Combofix, download and run a fresh one as before.MrC Link to post Share on other sites More sharing options...
macr8e Posted March 30, 2013 Author ID:662721 Share Posted March 30, 2013 combofix txtComboFix.txt Link to post Share on other sites More sharing options...
MrCharlie Posted March 30, 2013 ID:662768 Share Posted March 30, 2013 There's traces of AVG 2013 still on the system, please delete these folders and then run the uninstaller:c:\users\Bill\AppData\Local\Avg2013c:\windows\system32\drivers\avgtpx86.sysAVG Remover tool:http://www.avg.com/ww-en/faq.num-5172 <-----on this pagehttp://download.avg...._Remover_en.exe <---direct download-------------------------------------------Using ComboFix......1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it:4. If ComboFix wants to update.....please allow it to.File::C:\Windows\System32\lvcoinstm.dllClearJavaCache:: Save this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeCAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.After reboot, (in case it asks to reboot)......Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply. MrC Link to post Share on other sites More sharing options...
macr8e Posted March 30, 2013 Author ID:663042 Share Posted March 30, 2013 LogComboFix.txt Link to post Share on other sites More sharing options...
MrCharlie Posted March 30, 2013 ID:663044 Share Posted March 30, 2013 Any difference?? MrC Link to post Share on other sites More sharing options...
Recommended Posts