Jump to content

Removed AntivirusGT still getting redirects


Pumper

Recommended Posts

Hi, I've ran into a problem with a family members laptop similar to this thread here. I managed to remove AntivirusGT along with some other malware using MalwareBytes, Spybot S&D, Avast Antivirus, CWShredder, Windows Defender, CCleaner. Basicly ran everything I could think of in normal and safe mode. Whenever going to certain websites with IE or Firefox the page gets redirected to a red page with "ATTENTION! Your web page request has been cancelled." Other things I've tried: Changed proxy settings in Firefox / IE, Wiped personal settings in Firefox / IE, checked hosts file.

Specs: Windows 7 Home Premium (64-bit) / 2.1GHz Pentium® Dual-Core CPU / 4GB RAM

I went ahead and completed the steps listed in this thread. Since they are similar, only Gmer had 2 errors when I ran it and it still scanned but didn't find anything so the log was blank.

Logfile of random's system information tool 1.08 (written by random/random)

Run by miheal at 2010-09-22 02:02:23

Microsoft Windows 7 Home Premium

System drive C: has 401 GB (87%) free of 462 GB

Total RAM: 4056 MB (77% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]

Windows Live ID Sign-in Helper - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18 403840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

Google Toolbar Helper - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2010-07-12 278192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

Google Toolbar Notifier BHO - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-06-04 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

LimeWire Toolbar - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll [2010-06-10 1233288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-08-04 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2010-07-12 278192]

{D4027C7F-154A-4066-A1AD-4243D8127440} - LimeWire Toolbar - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll [2010-06-10 1233288]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"=C:\Program Files (x86)\QuickTime\QTTask.exe [2009-11-11 417792]

"iTunesHelper"=C:\Program Files (x86)\iTunes\iTunesHelper.exe [2010-02-15 141608]

"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-04-04 36272]

"Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-24 952768]

"avast5"=C:\Program Files\Alwil Software\Avast5\avastUI.exe [2010-09-07 2838912]

"SunJavaUpdateSched"=C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]

C:\Users\miheal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

LimeWire On Startup.lnk - C:\Program Files (x86)\LimeWire\LimeWire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"ConsentPromptBehaviorAdmin"=5

"ConsentPromptBehaviorUser"=3

"EnableUIADesktopToggle"=0

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoActiveDesktop"=1

"NoActiveDesktopChanges"=1

"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 3 months======

2010-09-22 02:02:24 ----D---- C:\Program Files (x86)\trend micro

2010-09-22 02:02:23 ----D---- C:\rsit

2010-09-22 01:58:34 ----D---- C:\Windows\ERDNT

2010-09-22 01:57:50 ----D---- C:\Program Files (x86)\ERUNT

2010-09-22 00:56:31 ----D---- C:\Program Files (x86)\Common Files\Java

2010-09-22 00:55:24 ----A---- C:\Windows\SysWOW64\javaws.exe

2010-09-22 00:55:24 ----A---- C:\Windows\SysWOW64\javaw.exe

2010-09-22 00:55:24 ----A---- C:\Windows\SysWOW64\java.exe

2010-09-21 18:47:17 ----A---- C:\Windows\SysWOW64\deployJava1.dll

2010-09-21 18:04:23 ----A---- C:\Windows\SysWOW64\aswBoot.exe

2010-09-21 18:04:22 ----D---- C:\ProgramData\Alwil Software

2010-09-21 15:38:31 ----RD---- C:\32788R22FWJFW

2010-09-20 19:46:46 ----A---- C:\Windows\SysWOW64\yhe48o.dll

2010-09-20 19:46:43 ----D---- C:\ProgramData\Update

2010-09-20 17:09:15 ----D---- C:\ProgramData\Spybot - Search & Destroy

2010-09-20 17:09:15 ----D---- C:\Program Files (x86)\Spybot - Search & Destroy

2010-09-20 17:03:40 ----D---- C:\Program Files (x86)\CCleaner

2010-09-20 16:02:43 ----D---- C:\Users\miheal\AppData\Roaming\Malwarebytes

2010-09-20 16:02:33 ----D---- C:\ProgramData\Malwarebytes

2010-09-20 16:02:33 ----A---- C:\Windows\SysWOW64\drivers\mbamswissarmy.sys

2010-09-20 16:02:32 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2010-09-19 21:31:02 ----D---- C:\Windows\Minidump

2010-09-15 11:11:58 ----A---- C:\Windows\SysWOW64\iertutil.dll

2010-09-02 15:56:39 ----D---- C:\Program Files (x86)\Aleks 3.13

2010-09-02 15:56:39 ----A---- C:\Windows\unvise32.exe

2010-08-24 12:41:03 ----A---- C:\Windows\SysWOW64\oleaut32.dll

2010-08-11 23:35:15 ----A---- C:\Windows\SysWOW64\schannel.dll

2010-08-11 23:35:02 ----A---- C:\Windows\SysWOW64\ntoskrnl.exe

2010-08-11 23:35:02 ----A---- C:\Windows\SysWOW64\ntkrnlpa.exe

2010-08-11 23:34:56 ----A---- C:\Windows\SysWOW64\mshtml.dll

2010-08-11 23:34:56 ----A---- C:\Windows\SysWOW64\ieframe.dll

2010-08-11 23:34:54 ----A---- C:\Windows\SysWOW64\wininet.dll

2010-08-11 23:34:54 ----A---- C:\Windows\SysWOW64\urlmon.dll

2010-08-11 23:34:54 ----A---- C:\Windows\SysWOW64\mstime.dll

2010-08-11 23:34:54 ----A---- C:\Windows\SysWOW64\msfeedsbs.dll

2010-08-11 23:34:54 ----A---- C:\Windows\SysWOW64\ieui.dll

2010-08-11 23:34:54 ----A---- C:\Windows\SysWOW64\iepeers.dll

2010-08-11 23:34:54 ----A---- C:\Windows\SysWOW64\iedkcs32.dll

2010-08-11 23:34:53 ----A---- C:\Windows\SysWOW64\msfeedssync.exe

2010-08-11 23:34:53 ----A---- C:\Windows\SysWOW64\jsproxy.dll

2010-08-11 23:34:47 ----A---- C:\Windows\SysWOW64\rtutils.dll

2010-08-11 23:34:45 ----A---- C:\Windows\SysWOW64\iccvid.dll

2010-08-11 23:34:42 ----A---- C:\Windows\SysWOW64\msxml3.dll

2010-08-02 16:42:48 ----A---- C:\Windows\SysWOW64\shell32.dll

2010-07-14 03:24:55 ----D---- C:\ProgramData\PopCap Games

2010-07-14 03:24:55 ----D---- C:\Program Files (x86)\PopCap Games

2010-07-14 03:18:20 ----D---- C:\Program Files (x86)\bfgclient

2010-07-14 03:17:48 ----D---- C:\BigFishGamesCache

======List of files/folders modified in the last 3 months======

2010-09-22 02:02:25 ----D---- C:\Windows\Temp

2010-09-22 02:02:24 ----RD---- C:\Program Files (x86)

2010-09-22 02:02:02 ----D---- C:\Users\miheal\AppData\Roaming\LimeWire

2010-09-22 02:00:40 ----D---- C:\Windows

2010-09-22 01:11:51 ----D---- C:\Windows\System32

2010-09-22 01:11:51 ----D---- C:\Windows\inf

2010-09-22 00:56:31 ----SHD---- C:\Windows\Installer

2010-09-22 00:56:31 ----D---- C:\Program Files (x86)\Common Files

2010-09-22 00:55:24 ----D---- C:\Windows\SysWOW64

2010-09-22 00:55:20 ----D---- C:\Program Files (x86)\Java

2010-09-21 18:04:49 ----D---- C:\Windows\winsxs

2010-09-21 18:04:31 ----D---- C:\Program Files (x86)\Common Files\microsoft shared

2010-09-21 18:04:22 ----RD---- C:\Program Files

2010-09-21 18:04:22 ----HD---- C:\ProgramData

2010-09-21 16:37:07 ----D---- C:\ProgramData\McAfee

2010-09-21 16:34:33 ----D---- C:\Windows\Tasks

2010-09-20 17:04:35 ----D---- C:\Windows\debug

2010-09-20 16:02:33 ----D---- C:\Windows\SysWOW64\drivers

2010-09-17 11:10:13 ----D---- C:\Program Files (x86)\Mozilla Firefox

2010-09-15 11:13:50 ----D---- C:\ProgramData\Microsoft Help

2010-09-15 11:11:51 ----SHD---- C:\System Volume Information

2010-09-14 09:31:47 ----D---- C:\Program Files (x86)\Microsoft Silverlight

2010-09-11 16:05:20 ----D---- C:\Program Files (x86)\Ask.com

2010-09-11 16:05:18 ----D---- C:\Windows\Prefetch

2010-08-25 00:51:38 ----D---- C:\Windows\AppPatch

2010-08-13 14:18:46 ----D---- C:\Windows\Microsoft.NET

2010-08-13 14:18:08 ----RSD---- C:\Windows\assembly

2010-08-12 12:17:23 ----D---- C:\Windows\SysWOW64\migration

2010-08-12 12:17:23 ----D---- C:\Program Files (x86)\Internet Explorer

2010-07-28 14:28:12 ----D---- C:\Windows\LiveKernelReports

2010-06-25 03:01:41 ----D---- C:\Windows\SysWOW64\en-US

2010-06-25 03:01:37 ----D---- C:\Program Files (x86)\Microsoft.NET

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys []

R1 aswRdr;aswRdr; C:\Windows\SysWOW64\drivers\aswRdr.sys []

R1 aswSP;aswSP; C:\Windows\SysWOW64\drivers\aswSP.sys []

R1 aswTdi;avast! Network Shield Support; C:\Windows\SysWOW64\drivers\aswTdi.sys []

R2 aswFsBlk;aswFsBlk; C:\Windows\SysWOW64\drivers\aswFsBlk.sys []

R2 aswMonFlt;aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys []

R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys []

R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys []

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit; C:\Windows\system32\DRIVERS\netw5v64.sys []

S3 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys []

S3 USBAAPL64;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl64.sys []

S3 WinUsb;WinUsb; C:\Windows\system32\DRIVERS\WinUsb.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]

R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-09-07 40384]

R2 Bonjour Service;Bonjour Service; C:\Program Files (x86)\Bonjour\mDNSResponder.exe [2008-12-12 238888]

R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-08-18 2291568]

R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-09-07 40384]

R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-09-07 40384]

R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-02-15 660256]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

S2 gupdate;Google Update Service (gupdate); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-03-20 135664]

S3 GoToAssist;GoToAssist; C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe [2010-03-19 16680]

S3 gusvc;Google Software Updater; C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-07-12 182768]

S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]

S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe []

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.08 2010-09-22 02:02:27

======Uninstall list======

-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe

Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player 10 Plugin-->MsiExec.exe /X{AF36CE1D-FD2C-4BA0-93FA-1196785DD610}

Adobe Reader 9.3.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}

Aleks 3.13-->C:\Windows\unvise32.exe C:\Program Files (x86)\Aleks 3.13\uninstal.log

Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}

Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}

Ask Toolbar-->MsiExec.exe /I{86D4B82A-ABED-442A-BE86-96357B70F4FE}

avast! Free Antivirus-->C:\Program Files\Alwil Software\Avast5\aswRunDll.exe "C:\Program Files\Alwil Software\Avast5\Setup\setiface.dll" RunSetup

Big Fish Games: Game Manager-->C:\Program Files (x86)\bfgclient\Uninstall.exe

CCleaner-->"C:\Program Files (x86)\CCleaner\uninst.exe"

Dell Resource CD-->MsiExec.exe /X{42929F0F-CE14-47AF-9FC7-FF297A603021}

ERUNT 1.1j-->"C:\Program Files (x86)\ERUNT\unins000.exe"

Google Toolbar for Internet Explorer-->"C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_223E2B8E7BAD9544.exe" /uninstall

Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}

Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

GoToAssist 8.0.0.514-->C:\Program Files (x86)\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall

Java 6 Update 21-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}

LimeWire 5.5.7-->"C:\Program Files (x86)\LimeWire\uninstall.exe"

Malwarebytes' Anti-Malware-->"C:\Program Files (x86)\Malwarebytes' Anti-Malware\unins000.exe"

Marvell Miniport Driver-->C:\Program Files (x86)\Marvell\Miniport Driver\Uninst.exe

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-002A-0000-1000-0000000FF1CE} /uninstall {E64BA721-2310-4B55-BE5A-2925F9706192}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-002A-0409-1000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0116-0409-1000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}

Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}

Microsoft Office Home and Student 2007-->"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL

Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}

Microsoft Office Live Add-in 1.5-->MsiExec.exe /I{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}

Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}

Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}

Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}

Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}

Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}

Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}

Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}

Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}

Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}

Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}

Mozilla Firefox (3.6.10)-->C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe

Peggle Deluxe-->C:\Program Files (x86)\PopCap Games\Peggle Deluxe\PopUninstall.exe "C:\Program Files (x86)\PopCap Games\Peggle Deluxe\Install.log"

QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}

Security Update for 2007 Microsoft Office System (KB2277947)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5857EE21-03D0-482E-9620-5A30B314A2AE}

Security Update for 2007 Microsoft Office System (KB2288621)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5C497F0B-2061-4CC9-A61C-6B45B867354D}

Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}

Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}

Security Update for 2007 Microsoft Office System (KB982312)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B0EC5722-241F-4CDA-83B4-AA5846B6F9F4}

Security Update for 2007 Microsoft Office System (KB982331)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {E8766951-2B6C-4022-86E8-80D2D1762B76}

Security Update for Microsoft Office Excel 2007 (KB982308)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C3F9A0DC-A5D1-4BB6-870E-2953E5A2487B}

Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}

Security Update for Microsoft Office PowerPoint 2007 (KB982158)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F5B70033-E79C-4569-90BF-BC9B4E4F3F46}

Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}

Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}

Security Update for Microsoft Office Word 2007 (KB2251419)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7E9103DA-253F-41FF-9E83-7C83806C77DA}

Spybot - Search & Destroy-->"C:\Program Files (x86)\Spybot - Search & Destroy\unins000.exe"

Update for 2007 Microsoft Office System (KB2284654)-->msiexec /package {90120000-002A-0000-1000-0000000FF1CE} /uninstall {FB166E7C-8AA6-48C8-B726-1F25BEE7825A}

Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}

Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}

Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}

Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}

Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}

Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}

Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}

Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}

======Hosts File======

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

======System event log======

Computer Name: miheal-PC

Event Code: 1014

Message: Name resolution for the name wpad.Belkin timed out after none of the configured DNS servers responded.

Record Number: 18097

Source Name: Microsoft-Windows-DNS-Client

Time Written: 20100520161334.782016-000

Event Type: Warning

User: NT AUTHORITY\NETWORK SERVICE

Computer Name: miheal-PC

Event Code: 4001

Message: WLAN AutoConfig service has successfully stopped.

Record Number: 17987

Source Name: Microsoft-Windows-WLAN-AutoConfig

Time Written: 20100520053941.506537-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: miheal-PC

Event Code: 4001

Message: WLAN AutoConfig service has successfully stopped.

Record Number: 17812

Source Name: Microsoft-Windows-WLAN-AutoConfig

Time Written: 20100518053132.872441-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: miheal-PC

Event Code: 10010

Message: The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register with DCOM within the required timeout.

Record Number: 17747

Source Name: Microsoft-Windows-DistributedCOM

Time Written: 20100518044941.000000-000

Event Type: Error

User:

Computer Name: miheal-PC

Event Code: 4001

Message: WLAN AutoConfig service has successfully stopped.

Record Number: 17636

Source Name: Microsoft-Windows-WLAN-AutoConfig

Time Written: 20100517060755.166821-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: miheal-PC

Event Code: 63

Message: A provider, OffProv12, has been registered in the Windows Management Instrumentation namespace Root\MSAPPS12 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 693

Source Name: Microsoft-Windows-WMI

Time Written: 20100325031114.000000-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: miheal-PC

Event Code: 63

Message: A provider, OffProv12, has been registered in the Windows Management Instrumentation namespace Root\MSAPPS12 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 692

Source Name: Microsoft-Windows-WMI

Time Written: 20100325031114.000000-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: miheal-PC

Event Code: 1530

Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

5 user registry handles leaked from \Registry\User\S-1-5-21-3631313055-1819403758-2062540117-1000:

Process 2800 (\Device\HarddiskVolume3\Program Files (x86)\LimeWire\LimeWire.exe) has opened key \REGISTRY\USER\S-1-5-21-3631313055-1819403758-2062540117-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

Process 2800 (\Device\HarddiskVolume3\Program Files (x86)\LimeWire\LimeWire.exe) has opened key \REGISTRY\USER\S-1-5-21-3631313055-1819403758-2062540117-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Process 2800 (\Device\HarddiskVolume3\Program Files (x86)\LimeWire\LimeWire.exe) has opened key \REGISTRY\USER\S-1-5-21-3631313055-1819403758-2062540117-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Process 2800 (\Device\HarddiskVolume3\Program Files (x86)\LimeWire\LimeWire.exe) has opened key \REGISTRY\USER\S-1-5-21-3631313055-1819403758-2062540117-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Process 2800 (\Device\HarddiskVolume3\Program Files (x86)\LimeWire\LimeWire.exe) has opened key \REGISTRY\USER\S-1-5-21-3631313055-1819403758-2062540117-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Record Number: 448

Source Name: Microsoft-Windows-User Profiles Service

Time Written: 20100322072104.525958-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: miheal-PC

Event Code: 11

Message: Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 800) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3F31C91E-2545-4B7B-9311-9529E8BFFEF6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.

Record Number: 249

Source Name: Microsoft-Windows-RPC-Events

Time Written: 20100320012459.635645-000

Event Type: Warning

User: NT AUTHORITY\LOCAL SERVICE

Computer Name: 37L4247E29-32

Event Code: 1008

Message: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.

Record Number: 151

Source Name: Microsoft-Windows-Search

Time Written: 20100319221823.000000-000

Event Type: Warning

User:

=====Security event log=====

Computer Name: 37L4247E29-32

Event Code: 4672

Message: Special privileges assigned to new logon.

Subject:

Security ID: S-1-5-18

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege

SeTcbPrivilege

SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeDebugPrivilege

SeAuditPrivilege

SeSystemEnvironmentPrivilege

SeImpersonatePrivilege

Record Number: 5

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100319220953.932074-000

Event Type: Audit Success

User:

Computer Name: 37L4247E29-32

Event Code: 4624

Message: An account was successfully logged on.

Subject:

Security ID: S-1-5-18

Account Name: 37L4247E29-32$

Account Domain: WORKGROUP

Logon ID: 0x3e7

Logon Type: 5

New Logon:

Security ID: S-1-5-18

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x1e4

Process Name: C:\Windows\System32\services.exe

Network Information:

Workstation Name:

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Advapi

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Record Number: 4

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100319220953.932074-000

Event Type: Audit Success

User:

Computer Name: 37L4247E29-32

Event Code: 4902

Message: The Per-user audit policy table was created.

Number of Elements: 0

Policy ID: 0x31bf3

Record Number: 3

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100319220952.216071-000

Event Type: Audit Success

User:

Computer Name: 37L4247E29-32

Event Code: 4624

Message: An account was successfully logged on.

Subject:

Security ID: S-1-0-0

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 0

New Logon:

Security ID: S-1-5-18

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x4

Process Name:

Network Information:

Workstation Name: -

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: -

Authentication Package: -

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Record Number: 2

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100319220950.032067-000

Event Type: Audit Success

User:

Computer Name: 37L4247E29-32

Event Code: 4608

Message: Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.

Record Number: 1

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100319220949.844867-000

Event Type: Audit Success

User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"Path"=%CommonProgramFiles%\Microsoft Shared\Windows Live;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\QuickTime\QTSystem\

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

"PROCESSOR_ARCHITECTURE"=AMD64

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"USERNAME"=SYSTEM

"windir"=%SystemRoot%

"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\

"NUMBER_OF_PROCESSORS"=2

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 23 Stepping 10, GenuineIntel

"PROCESSOR_REVISION"=170a

"CLASSPATH"=.;C:\Program Files (x86)\QuickTime\QTSystem\QTJava.zip

"QTJAVA"=C:\Program Files (x86)\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

Results of screen317's Security Check version 0.99.5

Windows 7 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

avast! Free Antivirus

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 21

Adobe Flash Player 10.0.45.2

Adobe Reader 9.3.2

Mozilla Firefox (3.6.10) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

windows defender MpCmdRun.exe

Alwil Software Avast5 AvastSvc.exe

Alwil Software Avast5 AvastUI.exe

````````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````

Link to post
Share on other sites

:)

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Please read carefully and follow these steps.

  • Please download
TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now

    [*]Copy and paste the log in your next reply

    • A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller and GooredFix log.

Link to post
Share on other sites

Hey LDTate :) I played around with it some more, removed some more stuff and think I got it. The redirects stopped happening. I rebooted several times and tried a bunch of different web sites / search engines / IE and Firefox to make sure. But I went ahead and gave it back to my aunt and told her to bring it back if she has any more problems. The redirects were the only problem I was having get rid of and I think it's all fixed. Thanks for the help :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.