Jump to content

Redirect and disabled


Recommended Posts

Please help...

I have a redirect issue with google. I have tried to clean my laptop with several programs; Malwarebytes, Ad-Aware, HitMan Pro, ComboFix and now I have run HiJack This. I have noticed that sometimes I will be simply viewing email on AOL and suddenly a new window will open saying I have won a contest and music plays with an announcer. This may be another virus.

Malwarebytes also found the disabled.securityCenter trojan but it just continues to appear after being deleted.

Below is the HiJack This Log from today:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:48:36 AM, on 6/15/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17023)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe

c:\program files\safeconnect\Uninstall.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe

C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Sony\ISB Utility\ISBMgr.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Common Files\AOL\1174708395\ee\AOLSoftware.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint\Apoint.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SafeConnect\scClient.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary

O4 - HKLM\..\Run: [switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

O4 - HKLM\..\Run: [sonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [iSBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1174708395\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: SafeConnect.lnk = ?

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O15 - Trusted Zone: http://*.trymedia.com (HKLM)

O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238972247256

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - C:\Program Files\SafeConnect\scManager.sys servicestart (file missing)

O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe

O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe

O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe

O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--

End of file - 15322 bytes

and attached is the ComboFix log from last night...

Any help would be appreciated....

ComboFix.txt

Link to post
Share on other sites

Hello and Welcome to Anti-Malware Forums.hello.gif

Introduction and rules :

  • I'm xixo_12 and really glad to help you.
  • You're advised to refrain running any self fixes until I give the "All Clean Speech"
  • Instruction in this topic is special create for current problem and don't apply those on another system.
  • You're advised to ask for any uncertainty.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now, we will start the collaboration.

Do keep in mind, removing malware is one of hazardous undertaking. I'm ready to share what I have learn through years in removing malware but I'm also fallible.

You're advised to back up all the important data before we start.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

First,

Uninstall List.

  • Run the HiJack This.
  • Click on Open the Misc Tools section button.
  • Click on Misc Tools tab.
  • Under the System tools, click on Open Uninstall Manager button.
  • Find the Save list… button and save to the Desktop
  • Copy the content and paste the uninstall list here.

Next,

GMER.

Please download from HERE and save to the desktop.

  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

What you need to post

Checklist.

  • Content of uninstall list.
  • Content of GMER.txt

Link to post
Share on other sites

Hello and Welcome to Anti-Malware Forums.hello.gif

Introduction and rules :

  • I'm xixo_12 and really glad to help you.
  • You're advised to refrain running any self fixes until I give the "All Clean Speech"
  • Instruction in this topic is special create for current problem and don't apply those on another system.
  • You're advised to ask for any uncertainty.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now, we will start the collaboration.

Do keep in mind, removing malware is one of hazardous undertaking. I'm ready to share what I have learn through years in removing malware but I'm also fallible.

You're advised to back up all the important data before we start.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

First,

Uninstall List.

[*]Run the HiJack This.

[*]Click on Open the Misc Tools section button.

[*]Click on Misc Tools tab.

[*]Under the System tools, click on Open Uninstall Manager button.

[*]Find the Save list

Link to post
Share on other sites

Hi,

Let's proceed.

No need to quote the instructions.

First,

SystemLook by jpshortstuff.

Please download from one of the links below and save it to the Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *compbatt*
    *atapi*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

What you need to post

Checklist.

  • Content of SystemLook.txt

Link to post
Share on other sites

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 18:59 on 17/06/2010 by Butch (Administrator - Elevation successful)

========== filefind ==========

Searching for "*compbatt*"

C:\WINDOWS\$NtServicePackUninstall$\compbatt.sys -----c 9344 bytes [22:13 09/09/2008] [13:58 17/08/2001] DF1B1A24BF52D0EBC01ED4ECE8979F50

C:\WINDOWS\ServicePackFiles\i386\compbatt.sys ------ 10240 bytes [14:17 22/08/2008] [18:36 13/04/2008] 6E4C9F21F0FAE8940661144F41B13203

C:\WINDOWS\system32\drivers\compbatt.sys --a--- 10240 bytes [00:41 10/08/2006] [18:36 13/04/2008] 6E4C9F21F0FAE8940661144F41B13203

Searching for "*atapi*"

C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [22:13 09/09/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [22:30 14/06/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\I386\ATAPI.SY_ ------ 49558 bytes [07:30 10/08/2006] [12:00 15/03/2006] 28541D14647BB58502D09D1CEAEE6684

C:\WINDOWS\I386\COMPDATA\DECATAPI.HTM ------ 881 bytes [07:30 10/08/2006] [12:00 15/03/2006] FDA00ABB8831E4903E9442E9B01843ED

C:\WINDOWS\I386\COMPDATA\DECATAPI.TXT ------ 449 bytes [07:30 10/08/2006] [12:00 15/03/2006] F5A5EAC5B4790D90031B913DD5D559A5

C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [14:17 22/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [22:59 03/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys --a--- 95360 bytes [08:16 10/08/2006] [12:00 15/03/2006] CDFE4411A69C224BD1D11B2DA92DAC51

C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys --a--- 95360 bytes [08:16 10/08/2006] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

Link to post
Share on other sites

Hi,

You are advised to copy this instructions as we will work in recovery console.

First,

ComboFix - Installing recovery console

Is there some reason you did not install the Recovery Console. With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Scroll down to Step 1 (where it says: Step 1: Download the Setup disk program), & select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
    Note: If you have SP3, use the SP2 package.
  • Save the file to the desktop of your computer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    RC1-4.gif
  • Drag the setup package onto ComboFix.exe and drop it
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
    whatnext.png
  • At the next prompt, click No to exit

Next,

Copy Files.

  • Open Notepad.exe
  • Copy and paste below code into the notepad.
    COPY /Y C:\WINDOWS\ServicePackFiles\i386\compbatt.sys c:\compbatt.sys
    COPY /Y C:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\atapi.sys
    DEL %0


  • Click on File > Save As
    Save in : Desktop
    File name : xixo.bat
    Save as type : All Files
  • It will look like this :
    batqb.jpg
  • Double click on xixo.bat and the batch file will perform the task and auto delete itself.

Next,

Script (.txt)

  • Open Notepad.exe
  • Copy and paste below code into the notepad.
    ren C:\WINDOWS\system32\drivers\atapi.sys atapi.old
    ren C:\WINDOWS\system32\drivers\compbatt.sys compbatt.old
    copy c:\atapi.sys C:\WINDOWS\system32\drivers\atapi.sys
    copy c:\compbatt.sys C:\WINDOWS\system32\drivers\compbatt.sys
    exit


  • Click on File > Save As
    Save in : Local Disk (C:)
    File name : xixo.txt
    Save as type : Text Documents (*.txt)
  • It will look like this :
    50449239.jpg
  • Close all notepad.

Next,

Recovery Console

  • Restart your computer.
  • Before Windows loads, you will be prompted to choose which Operating System to start.
  • Use the up and down arrow key to select Microsoft Windows Recovery Console.
  • You must enter which Windows installation to log onto. Type 1 and press Enter.
  • At the C:\Windows> prompt, type this code :
    batch C:\xixo.txt


  • Reboot normally.

What you need to post

Checklist.

  • Please describe your system behaviour.

Link to post
Share on other sites

Checklist.

  • Please describe your system behaviour.

1) After I completed running the batch file in the Recovery Console and the 2 files were copied I was unable to exit out of the recovery console so in order to reboot I shut down and restarted.

2) I opened both Internet Explorer and Firefox and clicked on links and have not been redirected. I will continue to search on these engines to test this out but right now things seem to be cool...

Is there any specific way to determine whether things have been cleaned out?

Link to post
Share on other sites

Hi,

Good :P

Let's proceed with this one and we will see the outcome.

What you need to post

Checklist.

  • Content of Kaspersky scan log

I am initally unable to run the scanner. I received the following message:

"Kaspersky Online Scanner 7.0 download and operation require Java framework version 1.5 or later."

I followed the link to the Java download site and it verified that

"Congratulations!"

"You have the recommended Java installed (version 6 Update 20)."

So, I restarted the computer and was able to run the scanner.

Nearly 7 hours later, here it is:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, June 19, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, June 19, 2010 12:23:34

Records in database: 4296164

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

Scan statistics:

Objects scanned: 358795

Threats found: 3

Infected objects found: 2

Suspicious objects found: 3

Scan duration: 06:51:14

File name / Threat / Threats count

C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

G:\160_bkup\520\520_c\Butch\Local Settings\Temp\couponsandoffers.exe Infected: not-a-virus:AdWare.Win32.TopMoxie.f 1

G:\160_bkup\520\520_d\butch_backup1\bkup01_0108b\MBC.PST Suspicious: Exploit.HTML.Iframe.FileDownload 1

G:\maxtor\firelite_1\temp3\butch\mbc.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1

G:\maxtor\firelite_1\temp3\butch\mbc_0118.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1

Selected area has been scanned.

Link to post
Share on other sites

Hi,

Let's proceed.

First,

CFScript

  • Close any open browsers.
  • Open notepad and copy/paste the text in the code box below into it:
    http://forums.malwarebytes.org/index.php?showtopic=54071&st=0entry270567
    Suspect::
    G:\160_bkup\520\520_c\Butch\Local Settings\Temp\couponsandoffers.exe


  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. A guide to do this can be found here
    CFScriptB-4.gif
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If it does, open Task Manager > Processes tab (press ctrl+alt+del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened, we want to know, and also what process you had to end.

Next,

Malwarebytes' Anti-Malware - Run

  • Double-click Malwarebytes' Anti-Malware to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    mbam1.png
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

Note:

  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

What you need to post

Checklist.

  • Content of ComboFix.txt
  • Content of MBAM log
  • Any other problem?

Link to post
Share on other sites

Hi,

Let's proceed.

What you need to post

Checklist.

  • Content of ComboFix.txt
  • Content of MBAM log
  • Any other problem?

ComboFix

ComboFix 10-06-19.03 - Butch 06/20/2010 9:16.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.583 [GMT -4:00]

Running from: c:\documents and settings\Butch\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Butch\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: g:\160_bkup\520\520_c\Butch\Local Settings\Temp\couponsandoffers.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\xpsp1hfm.log

.

((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))

.

2010-06-19 14:54 . 2010-06-19 14:54 -------- d-----w- c:\windows\LastGood

2010-06-19 01:06 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-06-19 01:06 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys

2010-06-19 01:06 . 2008-04-13 18:36 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys

2010-06-19 01:06 . 2008-04-13 18:36 10240 ----a-w- C:\compbatt.sys

2010-06-19 00:55 . 2010-06-19 01:03 -------- d-----w- C:\Combo-Fix

2010-06-16 14:30 . 2010-06-16 14:30 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-06-14 17:53 . 2010-06-14 17:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-14 17:17 . 2010-06-14 17:17 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-14 17:09 . 2010-06-16 11:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-14 17:08 . 2010-06-14 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-14 17:08 . 2010-06-14 17:08 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-06-05 02:59 . 2010-06-05 03:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-06-03 19:09 . 2010-06-03 19:09 -------- d-----w- c:\documents and settings\Butch\Local Settings\Application Data\Help

2010-06-03 15:00 . 2010-06-03 15:00 0 ---ha-w- C:\aaw7boot.cmd

2010-06-03 03:00 . 2010-06-03 03:00 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-03 02:57 . 2010-06-03 02:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-03 02:57 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-06-02 22:02 . 2010-06-02 22:01 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-26 18:05 . 2010-05-26 18:05 61440 ----a-w- c:\documents and settings\Butch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64ab8811-n\decora-sse.dll

2010-05-26 18:05 . 2010-05-26 18:05 503808 ----a-w- c:\documents and settings\Butch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b827bb2-n\msvcp71.dll

2010-05-26 18:05 . 2010-05-26 18:05 499712 ----a-w- c:\documents and settings\Butch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b827bb2-n\jmc.dll

2010-05-26 18:05 . 2010-05-26 18:05 348160 ----a-w- c:\documents and settings\Butch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b827bb2-n\msvcr71.dll

2010-05-26 18:05 . 2010-05-26 18:05 12800 ----a-w- c:\documents and settings\Butch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64ab8811-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-20 13:09 . 2007-03-26 14:31 -------- d-----w- c:\program files\Symantec AntiVirus

2010-06-19 12:26 . 2006-08-10 09:13 -------- d-----w- c:\program files\Java

2010-06-18 14:29 . 2009-07-20 17:17 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-17 08:19 . 2008-09-23 01:24 -------- d-----w- c:\program files\SafeConnect

2010-06-15 13:47 . 2007-03-24 03:36 -------- d-----w- c:\program files\Trend Micro

2010-06-05 15:01 . 2010-01-16 15:49 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-05 12:34 . 2010-03-12 14:09 -------- d-----w- c:\documents and settings\Butch\Application Data\vlc

2010-06-03 19:48 . 2009-04-05 22:21 5058 ----a-w- c:\windows\Help\hhcolreg.dat

2010-06-03 19:42 . 2006-08-10 07:51 -------- d-----w- c:\program files\microsoft frontpage

2010-06-03 17:38 . 2010-03-15 03:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-03 03:00 . 2010-01-16 22:12 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-03 02:57 . 2010-01-16 15:45 -------- d-----w- c:\program files\Lavasoft

2010-06-02 22:03 . 2006-08-10 09:13 -------- d-----w- c:\program files\Common Files\Java

2010-05-12 19:06 . 2010-05-12 19:06 -------- d-----w- c:\program files\Adobe Media Player

2010-05-12 19:05 . 2008-12-20 15:27 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-05-12 19:05 . 2008-07-03 22:46 38784 ----a-w- c:\documents and settings\Butch\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-05-12 12:27 . 2010-05-12 12:25 -------- d-----w- c:\program files\iTunes

2010-05-12 12:26 . 2010-05-12 12:26 -------- d-----w- c:\program files\iPod

2010-05-12 12:25 . 2009-07-08 22:21 -------- d-----w- c:\program files\Common Files\Apple

2010-05-12 12:17 . 2010-05-12 12:17 -------- d-----w- c:\program files\Bonjour

2010-05-12 12:15 . 2010-05-12 12:15 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-29 19:39 . 2010-03-15 03:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2010-03-15 03:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-25 02:48 . 2010-04-25 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-25 02:40 . 2010-04-25 02:40 -------- d-----w- c:\program files\QuickTime

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-06-14_22.25.49 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-19 12:57 . 2010-06-19 12:57 16384 c:\windows\Temp\Perflib_Perfdata_4fc.dat

+ 2010-06-19 14:53 . 2010-06-05 15:01 64288 c:\windows\system32\DRVSTORE\lbd_9C578CA880A99903668A8694DEFB21244E9C4C62\Lbd.sys

+ 2010-06-19 14:54 . 2010-02-04 15:53 64288 c:\windows\LastGood\system32\DRIVERS\Lbd.sys

+ 2010-06-18 13:14 . 2010-06-18 13:14 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe

+ 2010-06-18 13:14 . 2010-06-18 13:14 311760 c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]

"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]

"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-27 217088]

"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-04-04 26112]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]

"HostManager"="c:\program files\Common Files\AOL\1174708395\ee\AOLSoftware.exe" [2006-09-26 50736]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"DISCover"="c:\program files\DISC\DISCover.exe" [2006-06-02 1077248]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-3-26 1524776]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2006-06-20 23:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]

2006-05-08 13:17 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-19 00:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1174708395\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=

"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office\\SBT\\DMM\\directmail.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2967:TCP"= 2967:TCP:Symantec

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/30/2007 4:27 PM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/30/2010 1:53 PM 102448]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [8/10/2006 3:33 AM 226304]

S0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/16/2010 11:49 AM 64288]

S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]

S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]

.

Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 14:51]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.sony.com/vaiopeople

uInternet Settings,ProxyOverride = *.local

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm

Trusted Zone: trymedia.com

FF - ProfilePath - c:\documents and settings\Butch\Application Data\Mozilla\Firefox\Profiles\gi2b1a6z.default\

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-20 09:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)

c:\windows\system32\VESWinlogon.dll

.

Completion time: 2010-06-20 09:28:51

ComboFix-quarantined-files.txt 2010-06-20 13:28

ComboFix2.txt 2010-06-14 22:33

Pre-Run: 29,629,554,688 bytes free

Post-Run: 29,727,649,792 bytes free

- - End Of File - - D8834BA93F98B1C4694E4CED60C0D5FA

Upload was successful

MBAM Log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4217

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/20/2010 11:32:57 AM

mbam-log-2010-06-20 (11-32-57).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 493905

Time elapsed: 1 hour(s), 54 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

G:\System Volume Information\_restore{2FF74256-477D-4B01-939A-D41C1BBFE2C6}\RP664\A0057610.exe (Adware.WhenU) -> Quarantined and deleted successfully.

Any other problem?

I neglected to mention at the start of this session that my problems sort of began around the time I had a problem with Microsoft Outlook. I was unable to access Outlook for some reason, I reinstalled the program but still received an error when trying to access it. I think I then began to get the "News11 Today" and the "You've just won..." pop-ups and the Google/Yahoo redirects.

After completeing this latest scan(s) I tried to access Outlook and still received an error and the program closed. Here is the notice info I could copy:

AppName: outlook.exe AppVer: 9.0.0.2416 ModName: unknown

ModVer: 0.0.0.0 Offset: 0007f7f4

Thank You for your continued help....

Link to post
Share on other sites

Hi,

I'm not sure about it. Perhaps you could try to reinstall it again.

At this stage, I'm pretty sure it's clean.

Information.

We have done all we can do to help here. If you need further assistance, I would refer you to one of the Systems/Hardware forums here:

Good System/Hardware Help Forums

You may need to do free registration in order to post at their forum :P

Any other questions?

Link to post
Share on other sites

Any other questions?

Do you have any idea how I may have contracted the malware/virus that caused the redirect?

Now that I don't have that "disabled.SecurityCenter" problem I noticed that Internet Explorer prompts me when I go on an unsecure website. Should I check the box which stops that prompt?

Do you suggest I use any specific anti-malware, spyware or anti-virus program(s) that may help me keep up with this stuff? Or should I buy a Mac?

Thanks again...

Link to post
Share on other sites

Hi,

Do you have any idea how I may have contracted the malware/virus that caused the redirect?

Start to change your habit of surfing :P

I noticed that Internet Explorer prompts me when I go on an unsecure website. Should I check the box which stops that prompt?

Refer to my above answer. Normally, when you get this prompt, it's unsafe

Do you suggest I use any specific anti-malware, spyware or anti-virus program(s) that may help me keep up with this stuff? Or should I buy a Mac?

Mac is your choice. To answer the other question :

Good! :P

Your system now is clean.

Let's do some cleaning and management.

Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator

First,

Uninstall Combofix

  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    CF-Uninstall.png

Next,

clear system restore points.

This is a good time to clear your existing system restore points and establish a new clean restore point:

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point > Click Next > Put the description as you wish > Click Create.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:) and click Ok.
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and click yes.
  • Go back to the Disk Cleanup tab.
  • Put a checkmark in all - except compress old files (leave this unchecked).
  • Click Ok then click Yes

This will remove all restore points except the new one you just created and clean unneeded files

Next,

You can proceed to delete all tools that involved in this process.

Additional Information :

SpywareBlaster.

  • SpywareBlaster help your Internet Explorer more strong as it will help to block known malicious ActiveX
  • A tutorial on installing & using this product can be found HERE

Antivirus.

  • Antivirus help you to give the maximum protection for the system.
  • You are advice to have only ONE antivirus running on the system.
  • Please keep it update regurlarly.

Malwarebytes' Anti-Malware.

WinPatrol.

  • Unwanted things always occur behind your knowledge. Let's this software take the snapshot of it.
  • For more information and installation can be found HERE

Windows/Program Update.

Please make sure to have your Windows Automatic Update turn ON or you can do it manually.

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.

To update Windows

  • Go to Start > All Programs > Windows Update

To update Office

  • Open up any Office program.
  • Go to Help > Check for Updates

You always can refer at both website to check either any updates are needed for your system.

Information.

Safe surfing! :D

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.