Jump to content

ran mwb - scans now clean, but web browser still hijacked.


Recommended Posts

Hi,

I'm working on a windows xp pro machine that had a rouge AV on it. i ran MWB and it found/removed a few files. The next scan came up clean. after running combofix, it detected rootkits and ran a clean as well. I dumped and reset the system restore.

I recieved a call today that the person is still getting the message "Attention! Your web page request has been cancelled" With research, all comments tie this back to AV7.. .but I have looked for the files and registry entries that need to be removed, and have found none, anywhere.

An attempt to connect to MWB will produce: http://stopmalwaresite.com/block.php?url=h...lwarebytes.org/ - as well as many other sites. I need to find and remove the remainer of this hijack. Help please... Thanks!

p.s. logs are in zip file

mbam_log_2010_08_24__10_45_54_.zip

Link to post
Share on other sites

Hi,

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert". It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillerMain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please delete your copy of ComboFix.exe from the desktop.

Then download the latest version of ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Thanks! - I will run it on Monday and submit it.

Hi,

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert". It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please delete your copy of ComboFix.exe from the desktop.

Then download the latest version of ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi,

Fine by me. :)

Please note I've updated my instructions. I've added TDSSKiller. ;)

I was finally able to get back to the machine in question today. I ran an updated malwarebytes and combofix. The newer version of MWB found 6 more trojan entries, but the hijack was still there. I also ran combofix with the newest version, and it made some changes - after the combination of the newer definitions (9-2-10) the problem was finally fixed and i could move the PC to all pages i attempted (MWB came up clean on the final scan - as a safety check). Flushed the system restore and set a new clean point. So the issue is resolved. I am including the 2 final logs after the fix so if anyone has this in the future, they can analyze them and maybe find an answer. However, it seems someone already did find the answer, as the updated scans took care of things.

Thanks,

techron

combofix_log.txt

mbam_log_2010_09_02__12_37_52_.txt

Link to post
Share on other sites

Hi,

Please do not attach (or quote) your logs as it is harder for me to read them that way. Post them instead:

ComboFix 10-09-01.04 - OWNER 09/02/2010 12:55:11.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1498 [GMT -5:00]

Running from: c:\documents and settings\OWNER\Desktop\ComboFix.exe

FW: Trend Micro Client-Server Security Agent Firewall *disabled* {A4BAC90A-DA80-48B5-B497-993434E02492}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\OWNER\My Documents\save1.reg

c:\windows\system32\gotomon.log . . . .

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))

.

2010-08-25 05:01 . 2010-08-25 05:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-08-24 15:17 . 2010-08-24 15:30 -------- d-----w- c:\documents and settings\OWNER\Application Data\TeamViewer

2010-08-23 19:10 . 2010-08-23 19:10 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-23 19:07 . 2010-08-23 19:07 503808 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-376d8646-n\msvcp71.dll

2010-08-23 19:07 . 2010-08-23 19:07 499712 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-376d8646-n\jmc.dll

2010-08-23 19:07 . 2010-08-23 19:07 348160 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-376d8646-n\msvcr71.dll

2010-08-23 19:07 . 2010-08-23 19:07 -------- d-----w- c:\program files\Common Files\Java

2010-08-23 19:06 . 2010-08-23 19:06 61440 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6b60f07e-n\decora-sse.dll

2010-08-23 19:06 . 2010-08-23 19:06 12800 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6b60f07e-n\decora-d3d.dll

2010-08-23 19:06 . 2010-08-23 19:06 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-23 19:06 . 2010-08-23 19:06 -------- d-----w- c:\program files\Java

2010-08-23 19:06 . 2010-08-23 19:06 79488 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\jre1.6.0_21\gtapi.dll

2010-08-23 19:06 . 2010-08-23 19:06 152576 ----a-w- c:\documents and settings\OWNER\Application Data\Sun\Java\jre1.6.0_21\lzma.dll

2010-08-23 19:04 . 2010-09-02 16:17 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-23 18:14 . 2010-08-23 18:14 -------- d-----w- c:\documents and settings\OWNER\Application Data\GlarySoft

2010-08-23 18:13 . 2010-08-24 15:08 -------- d-----w- c:\program files\Glary Utilities

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-02 16:10 . 2008-07-01 14:44 7164 ----a-w- c:\documents and settings\OWNER\Application Data\wklnhst.dat

2010-08-30 13:10 . 2010-08-23 18:10 5427 ----a-w- c:\windows\EGATHDRV.TMP

2010-08-30 13:10 . 2008-01-11 21:24 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

2010-08-24 15:11 . 2008-01-25 22:24 -------- d-----w- c:\program files\Windows Live Toolbar

2010-08-24 15:06 . 2008-12-02 14:54 -------- d-----w- c:\program files\My.Freeze.com Toolbar with NetAssistant

2010-08-24 15:05 . 2009-10-01 20:08 -------- d-----w- c:\program files\SiteRanker

2010-08-24 15:04 . 2008-01-28 15:57 -------- d-----w- c:\program files\Google

2010-08-24 15:04 . 2009-04-08 17:15 -------- d-----w- c:\program files\Coupons

2010-08-23 19:03 . 2008-01-11 21:19 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-08-23 19:02 . 2008-01-31 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-08-23 18:13 . 2009-10-16 19:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-30 12:31 . 2006-04-30 06:55 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2006-04-30 06:55 1851904 ------w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2006-04-30 06:55 354304 ------w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2006-04-30 06:55 80384 ------w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2006-04-30 07:10 744448 ------w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2006-04-30 06:55 1172480 ----a-w- c:\windows\system32\msxml3.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-03 372813]

"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-08-26 53248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

serverconnect.bat [2009-11-4 114]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]

2006-04-18 17:05 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2007-06-20 16:09 10536 ------w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^logon.bat]

backup=c:\windows\pss\logon.batCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]

2005-11-14 06:23 487424 ------w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]

2006-04-18 17:05 69632 ------w- c:\program files\Lenovo\AwayTask\AwaySch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]

2006-05-13 04:15 2333440 ------w- c:\program files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2005-01-08 01:07 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2006-10-06 04:13 114688 ------w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2006-10-06 04:11 98304 ------w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]

2006-03-22 16:10 106496 ------w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]

2005-08-24 23:25 101080 ------w- c:\program files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]

2005-04-13 22:34 49152 ------w- c:\windows\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2006-10-06 04:10 94208 ------w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]

2005-10-28 18:08 335872 ------w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]

2009-02-23 13:05 111856 ------w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

2006-07-13 15:12 729088 ------w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2006-12-18 13:34 868352 ------w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]

2006-03-28 12:01 503808 ------w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

2009-02-23 13:05 111856 ------w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\SHARP\\Printer Status Monitor\\Smon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15881:TCP"= 15881:TCP:spport

R2 smi2;smi2;c:\program files\SMI2\smi2.sys [5/12/2006 9:10 PM 3968]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [12/5/2006 2:29 PM 230928]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [12/5/2006 2:29 PM 36368]

.

Contents of the 'Scheduled Tasks' folder

2010-09-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]

2010-09-02 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2010-08-23 16:21]

.

.

------- Supplementary Scan -------

.

uStart Page = https://207.160.250.243/uplinkos/login.php

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

TCP: {1A2E1483-C16C-4E4D-9C0D-E510C62037D7} = 192.168.10.1,4.2.2.2

DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} - hxxps://ntserver:4343/SMB/console/html/root/AtxConsole.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - c:\program files\My.Freeze.com Toolbar with NetAssistant\freeze_us.dll

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll

MSConfigStartUp-DiskeeperSystray - c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

MSConfigStartUp-SiteRanker - c:\program files\SiteRanker\SiteRankTray.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe

AddRemove-HijackThis - c:\documents and settings\OWNER\Desktop\HijackThis.exe

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)

c:\windows\system32\WININET.dll

c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(1044)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2180)

c:\windows\system32\WININET.dll

c:\windows\system32\PROCHLP.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Microsoft Office\Office10\msohev.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\IPSSVC.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Citrix\GoToMyPC\g2comm.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Trend Micro\Client Server Security Agent\ntrtscan.exe

c:\program files\Citrix\GoToMyPC\g2pre.exe

c:\program files\Citrix\GoToMyPC\g2tray.exe

c:\program files\lenovo\system update\suservice.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\program files\Trend Micro\Client Server Security Agent\tmlisten.exe

c:\program files\Lenovo\Rescue and Recovery\rrservice.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe

c:\program files\Common Files\Lenovo\Logger\logmon.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\TEMP\BED0B6.EXE

c:\program files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

c:\program files\Windows Media Player\WMPNetwk.exe

.

**************************************************************************

.

Completion time: 2010-09-02 13:11:41 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-02 18:11

ComboFix2.txt 2010-08-23 19:02

Pre-Run: 50,299,654,144 bytes free

Post-Run: 50,215,886,848 bytes free

- - End Of File - - 803CB0C01768A72276C731A594BF1B37

Link to post
Share on other sites

Hi,

Your logs appears to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. ;)

Remove Combofix now that we're done with it.

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files

Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall

You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated

It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use the Firefox browser, the McAfee SiteAdvisor add-on will nicely help to enhance your security. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.

  • A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?

If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,

Gammo :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.