Jump to content

Google redirect


Recommended Posts

I've been having a google redirect problem when performing searches. At first it was always to site called infomash. I ran malware bytes and problem went away. It has since resurfaced but sending me various different sites somewhat related to what I was searching for. I have attached all the files below as well as the most current malware log that did not find anything as well as past maleware log files that did detect infections. Any help would greatly appreciated.

Thank You

Scott

DDS (Ver_10-03-17.01) - NTFSx86

Run by Sccccc at 11:41:57.50 on Mon 08/23/2010

Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_21

Microsoft

attach.zip

Link to post
Share on other sites

Hello and ;)

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Do not install/uninstall anything on your computer unless advised.
  • Do not run any other scanning tools other than those instructed for you to use.
  • Follow the instructions on the order they are given.
  • Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  • If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  • If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 48 hours then the topic will be closed.
  • And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________

You will need to right click and choose "Run as Administrator" to run the tools we will use.

Please do the following:

gmer_zip.gif

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Right click GMER.exe then choose "Run as Administrator" to run the tool.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Link to post
Share on other sites

Thank you for your help, here is the Gmer results.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-24 11:34:35

Windows 6.0.6002 Service Pack 2

Running: gmer.exe; Driver: C:\Users\Sccccc\AppData\Local\Temp\pwryqpog.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8F421B9C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8F4219C0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8F421AFA]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 82789DF0 7 Bytes JMP 8F421AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 827F528F 5 Bytes JMP 8F41D5B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObInsertObject 8284E063 5 Bytes JMP 8F41EF6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!NtCreateSection 8284F905 7 Bytes JMP 8F4219C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 828AF90A 7 Bytes JMP 8F421BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E609000, 0x1F8CAC, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi,

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs

--------------------------------------------------------------------

  • Close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Link to post
Share on other sites

Hi,

Did you set those trusted zones yourself?

Trusted Zone: adobe.com\get

Trusted Zone: avast.com\www

Trusted Zone: bankofamerica.com\sitekey

Trusted Zone: foxracingshox.com\www

Trusted Zone: gearattack.com

Trusted Zone: ingdirect.com\secure

Trusted Zone: microsoft.com\www.update

Trusted Zone: paypal.com\www

Trusted Zone: santacruzbicycles.com\www

Trusted Zone: santacruzmtb.com\www

Trusted Zone: tube8.com\www

Trusted Zone: ziprealty.com\www

Also, about your security canter. Did you set it so that you'll monitor it yourself and not Windows?

Please do the following:

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs

--------------------------------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

c:\users\Sccccc\AppData\Local\Dkiriwumezim.dat

c:\users\Sccccc\AppData\Local\Jlomoconisixejig.bin

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

On the trusted zones I stopped using internet explorer and only use firefox. I think I set those sites but not too sure. I use avast as my security service. I did not set it up to monitor myself and not windows.

I ran combofix as directed it stalled when restarting computer i had to manually turn off computer. When rebooting combofix still finished and produced log. I then couldn"t access the internet. I reran combo fix thinking it did not finish completely due to the fact that I believe it disables your internet when running. The same thing happened it stalled forcing me to manually turn off computer. Both times I waited a few hours for combofix to restart computer, both times it stalled at logging off windows screen.

Below are both logs after computer was manually rebooted.

Thank you

ComboFix 10-08-25.01 - Sccccc 08/26/2010 8:34.2.2 - x86

Microsoft

Link to post
Share on other sites

Hi,

Those trusted zones does not only affect IE but your internet browsing as a whole.

Please go to Virus Total

  • Click on Browse.
  • On the File Upload window, copy/paste the text below into the File name box:
    c:\windows\system32\wininit.exe
  • Click Send file. Allow the file to be scanned. If it says already scanned -- click Reanalyze Now

Repeat the procedure with the following files:

c:\windows\system32\wbem\WMIADAP.EXE

c:\windows\helppane.exe

Please post the results in your next reply.

Link to post
Share on other sites

Good to know about trusted sites I will not add any sites and will look at current sites.

here are the results from Virus total. thank you.

File name:

wininit.exe

Submission date:

2010-08-27 18:28:32 (UTC)

Current status:

queued queued (#20) analysing finished

Result:

0/ 42 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.08.27.00 2010.08.26 -

AntiVir 8.2.4.46 2010.08.27 -

Antiy-AVL 2.0.3.7 2010.08.26 -

Authentium 5.2.0.5 2010.08.27 -

Avast 4.8.1351.0 2010.08.27 -

Avast5 5.0.594.0 2010.08.27 -

AVG 9.0.0.851 2010.08.27 -

BitDefender 7.2 2010.08.27 -

CAT-QuickHeal 11.00 2010.08.27 -

ClamAV 0.96.2.0-git 2010.08.27 -

Comodo 5877 2010.08.27 -

DrWeb 5.0.2.03300 2010.08.27 -

Emsisoft 5.0.0.37 2010.08.27 -

eSafe 7.0.17.0 2010.08.26 -

eTrust-Vet 36.1.7821 2010.08.27 -

F-Prot 4.6.1.107 2010.08.26 -

F-Secure 9.0.15370.0 2010.08.27 -

Fortinet 4.1.143.0 2010.08.26 -

GData 21 2010.08.27 -

Ikarus T3.1.1.88.0 2010.08.27 -

Jiangmin 13.0.900 2010.08.27 -

Kaspersky 7.0.0.125 2010.08.27 -

McAfee 5.400.0.1158 2010.08.27 -

McAfee-GW-Edition 2010.1B 2010.08.27 -

Microsoft 1.6103 2010.08.27 -

NOD32 5402 2010.08.27 -

Norman 6.05.11 2010.08.27 -

nProtect 2010-08-27.01 2010.08.27 -

Panda 10.0.2.7 2010.08.27 -

PCTools 7.0.3.5 2010.08.27 -

Prevx 3.0 2010.08.27 -

Rising 22.62.04.04 2010.08.27 -

Sophos 4.56.0 2010.08.27 -

Sunbelt 6802 2010.08.27 -

SUPERAntiSpyware 4.40.0.1006 2010.08.27 -

Symantec 20101.1.1.7 2010.08.27 -

TheHacker 6.5.2.1.356 2010.08.26 -

TrendMicro 9.120.0.1004 2010.08.27 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.27 -

VBA32 3.12.14.0 2010.08.27 -

ViRobot 2010.8.25.4006 2010.08.27 -

VirusBuster 5.0.27.0 2010.08.27 -

Additional information

Show all

MD5 : 101ba3ea053480bb5d957ef37c06b5ed

SHA1 : 738ef691944f08cf0c405a52f3f55e99ef6e8e6e

SHA256: 9a02771da9c226552a1766c2dd0295eca8b5b80aae13076ffce6a806fa5c21b8

File name:

WMIADAP.exe

Submission date:

2010-08-27 18:31:12 (UTC)

Current status:

queued queued (#21) analysing finished

Result:

0/ 42 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.08.27.00 2010.08.26 -

AntiVir 8.2.4.46 2010.08.27 -

Antiy-AVL 2.0.3.7 2010.08.26 -

Authentium 5.2.0.5 2010.08.27 -

Avast 4.8.1351.0 2010.08.27 -

Avast5 5.0.594.0 2010.08.27 -

AVG 9.0.0.851 2010.08.27 -

BitDefender 7.2 2010.08.27 -

CAT-QuickHeal 11.00 2010.08.27 -

ClamAV 0.96.2.0-git 2010.08.27 -

Comodo 5877 2010.08.27 -

DrWeb 5.0.2.03300 2010.08.27 -

Emsisoft 5.0.0.37 2010.08.27 -

eSafe 7.0.17.0 2010.08.26 -

eTrust-Vet 36.1.7821 2010.08.27 -

F-Prot 4.6.1.107 2010.08.26 -

F-Secure 9.0.15370.0 2010.08.27 -

Fortinet 4.1.143.0 2010.08.26 -

GData 21 2010.08.27 -

Ikarus T3.1.1.88.0 2010.08.27 -

Jiangmin 13.0.900 2010.08.27 -

Kaspersky 7.0.0.125 2010.08.27 -

McAfee 5.400.0.1158 2010.08.27 -

McAfee-GW-Edition 2010.1B 2010.08.27 -

Microsoft 1.6103 2010.08.27 -

NOD32 5402 2010.08.27 -

Norman 6.05.11 2010.08.27 -

nProtect 2010-08-27.01 2010.08.27 -

Panda 10.0.2.7 2010.08.27 -

PCTools 7.0.3.5 2010.08.27 -

Prevx 3.0 2010.08.27 -

Rising 22.62.04.04 2010.08.27 -

Sophos 4.56.0 2010.08.27 -

Sunbelt 6802 2010.08.27 -

SUPERAntiSpyware 4.40.0.1006 2010.08.27 -

Symantec 20101.1.1.7 2010.08.27 -

TheHacker 6.5.2.1.356 2010.08.26 -

TrendMicro 9.120.0.1004 2010.08.27 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.27 -

VBA32 3.12.14.0 2010.08.27 -

ViRobot 2010.8.25.4006 2010.08.27 -

VirusBuster 5.0.27.0 2010.08.27 -

Additional information

Show all

MD5 : f8d8bb3f6173fff00128612f33d3197a

SHA1 : bcaaeec18aeba09cd2b03efe30a249179a9e2813

SHA256: 38b9344c0fd56afcd7974c7b9608b74cd676d97c7f8c9b6ecaed7d5eb0d45810

File name:

HelpPane.exe

Submission date:

2010-08-27 18:35:40 (UTC)

Current status:

queued queued analysing finished

Result:

0/ 42 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.08.27.00 2010.08.26 -

AntiVir 8.2.4.46 2010.08.27 -

Antiy-AVL 2.0.3.7 2010.08.26 -

Authentium 5.2.0.5 2010.08.27 -

Avast 4.8.1351.0 2010.08.27 -

Avast5 5.0.594.0 2010.08.27 -

AVG 9.0.0.851 2010.08.27 -

BitDefender 7.2 2010.08.27 -

CAT-QuickHeal 11.00 2010.08.27 -

ClamAV 0.96.2.0-git 2010.08.27 -

Comodo 5877 2010.08.27 -

DrWeb 5.0.2.03300 2010.08.27 -

Emsisoft 5.0.0.37 2010.08.27 -

eSafe 7.0.17.0 2010.08.26 -

eTrust-Vet 36.1.7821 2010.08.27 -

F-Prot 4.6.1.107 2010.08.26 -

F-Secure 9.0.15370.0 2010.08.27 -

Fortinet 4.1.143.0 2010.08.26 -

GData 21 2010.08.27 -

Ikarus T3.1.1.88.0 2010.08.27 -

Jiangmin 13.0.900 2010.08.27 -

Kaspersky 7.0.0.125 2010.08.27 -

McAfee 5.400.0.1158 2010.08.27 -

McAfee-GW-Edition 2010.1B 2010.08.27 -

Microsoft 1.6103 2010.08.27 -

NOD32 5403 2010.08.27 -

Norman 6.05.11 2010.08.27 -

nProtect 2010-08-27.01 2010.08.27 -

Panda 10.0.2.7 2010.08.27 -

PCTools 7.0.3.5 2010.08.27 -

Prevx 3.0 2010.08.27 -

Rising 22.62.04.04 2010.08.27 -

Sophos 4.56.0 2010.08.27 -

Sunbelt 6802 2010.08.27 -

SUPERAntiSpyware 4.40.0.1006 2010.08.27 -

Symantec 20101.1.1.7 2010.08.27 -

TheHacker 6.5.2.1.356 2010.08.26 -

TrendMicro 9.120.0.1004 2010.08.27 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.27 -

VBA32 3.12.14.0 2010.08.27 -

ViRobot 2010.8.25.4006 2010.08.27 -

VirusBuster 5.0.27.0 2010.08.27 -

Additional information

Show all

MD5 : 3708ccee4878eb0b9e7b92355a631853

SHA1 : fb2b64805e8ef1afa11439589a172603a881dd3f

SHA256: 6ca3c86da704eb113c48ab7ac4583ab8d532d63f9d7331a4744a081b102621f5

Link to post
Share on other sites

Hi,

Please do the following:

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs

--------------------------------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

DDS::

Trusted Zone: adobe.com\get

Trusted Zone: avast.com\www

Trusted Zone: bankofamerica.com\sitekey

Trusted Zone: foxracingshox.com\www

Trusted Zone: gearattack.com

Trusted Zone: ingdirect.com\secure

Trusted Zone: microsoft.com\www.update

Trusted Zone: paypal.com\www

Trusted Zone: santacruzbicycles.com\www

Trusted Zone: santacruzmtb.com\www

Trusted Zone: ziprealty.com\www

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000000

FixCSet::

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi,

Please do the following:

  • Click on Start button.
  • Open Control Panel.
  • Open Security.
  • Open Security Center.
  • Click Malware protection, click the button under Virus protection or Spyware and other malware protection.
  • Set it so that Windows monitors your Antivirus.

--Next--

Download TFC to your desktop

  • Close any open windows.
  • Right click the TFC icon then choose "Run as Administrator" to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

--Next--

Please download Malwarebytes' Anti-Malware to your desktop.

  • Right-click mbam-setup.exe then choose "Run as Administrator" and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post back the log.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

--Next--

Run an on-line scan with Kaspersky

Right click Internet Explorer or Firefox then choose "Run as Administrator" to run the program.

NOTE: After scanning with Kaspersky, close your browser then run it without administrator privileges for your browsing.

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
    Kas-Savetxt.gif
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

--Next--

Run another DDS scan for me please.

To post in your next reply:

1. Malwarebytes' log.

2. Kaspersky log.

3. DDS logs.

4. How is your computer?

Link to post
Share on other sites

I have not been using my computer too much during this process but, I haven't had any google redirects since you started helping me. It seems to be working fine.

All logs are posted below I attached the 2nd part of the DDS log.

Thanks

1

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4509

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18928

8/30/2010 10:38:22 AM

mbam-log-2010-08-30 (10-38-22).txt

Scan type: Quick scan

Objects scanned: 154223

Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, August 30, 2010

Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, August 30, 2010 11:53:42

Records in database: 4168557

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

N:\

Scan statistics:

Objects scanned: 140372

Threats found: 8

Infected objects found: 17

Suspicious objects found: 0

Scan duration: 01:42:33

File name / Threat / Threats count

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan-Downloader.Win32.FraudLoad.gmx 2

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan.Win32.Inject.apdr 1

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan.Win32.Agent2.lkr 1

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan-Dropper.Win32.Agent.bzfo 1

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Worm.Win32.Mabezat.h 1

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan.Win32.VBKrypt.yj 1

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan.Win32.Oficla.bd 1

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan-Downloader.Win32.FraudLoad.gmx 2

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan.Win32.Inject.apdr 1

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan.Win32.Agent2.lkr 1

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan-Dropper.Win32.Agent.bzfo 1

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Worm.Win32.Mabezat.h 1

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan.Win32.VBKrypt.yj 1

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst Infected: Trojan.Win32.Oficla.bd 1

N:\Sccccc Work\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\2d498a7b-2861c458 Infected: Trojan-Downloader.Java.Agent.ea 1

Selected area has been scanned.

3

DDS (Ver_10-03-17.01) - NTFSx86

Run by Sccccc at 15:10:44.05 on Mon 08/30/2010

Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_21

Microsoft

Attach.zip

Link to post
Share on other sites

Hi,

Your Outlook archived files are infected. We'll remove them.

Please do the following:

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs

--------------------------------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

C:\Users\Sccccc\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

N:\Sccccc Work\AppData\Local\Microsoft\Outlook\Archive Folders Work.pst

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

--Next--

Go into the Control Panel and double-click the Java Icon.

  • Under Temporary Internet Files, click the Settings... button
  • click the Delete Files button.
  • There are two options in the window to clear the cache - Leave both Checked
    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Settings
  • Click OK to leave the Java Control Panel.

Link to post
Share on other sites

Hi,

Your computer now looks clean! ;)

To re-enable your Emulation drivers, right click DeFogger then choose "Run as Administrator" to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Let's do a little clean up before you go.

Delete the following:

  • GMER
  • DDS
  • All the logs we've created.

You can keep TFC and use it to clean your computer of some junk atleast once a week. You can also keep Malwarebytes, it is an excellent malware removal tool. Update atleast once a week then run a complete scan.

--Next--

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Combofix_uninstall_image.jpg

--Next--

You need to create a new Clean restore point.

  • Click Start - All Programs - Accessories - System Tools - System Restore
  • Click on open System Protection.
  • On the System Protection tab in System Properties click on Create.
  • Give the restore point an appropriate name and click Create.

--Next--

  • Open any folder.
  • Click on Organize button.
  • Select Folders and Search Options.
  • On the Folder Options window, click on View tab.
  • Select Show hidden files and folders from the list.
  • Click OK to save the new settings and close the Folder Options window.

To keep your operating system up to date visit

Here are some tips to reduce the potential for spyware infection in the future:

1. It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article

Strong passwords: How to create and use them

Then consider a password keeper, to keep all your passwords safe.

2. Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

    [*]Next press the Apply button and then the OK to exit the Internet Properties page.

3. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

5. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

For information on how to download and install, please read this tutorial by WinHelp2002

Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

6. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

7. SpywareBlaster - Download and install SpywareBlaster. This program prevents the installation of ActiveX-based spyware and other potentially unwanted programs.

8. Protect your computer from internet threats with SandboxIE. This program isolates Internet Explorer from the rest of your operating system, 'sandboxing' it away - so malicious websites can't do damage to the rest of your system. There is a Getting Started guide on their website.

9. Some excellent free firewalls. Note: Use only one firewall at a time.

Agnitum Outpost Firewall

Online Armor Personal Firewall

10. And finally, please read these excellent articles:

Limited User Accounts

Malware: Help prevent the Infection by Sandi Hardmeier

Preventing Malware - Tools and Practices for Safe Computing

We will keep this thread open for a couple of days. Please post back if you have any problems or questions. Please post back when you have finished so this thread can be marked as "Resolved".

Good luck, happy computing and stay clean! :)

Link to post
Share on other sites

Glad we could help. ;)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.