Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Fake_alert (resolved?) but not redirects

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Fake_alert (resolved?) but not redirects

Unread postby deltalima » June 6th, 2011, 4:19 am

Hi phatkidd13,

When you ran Combofix previously, did it go as far as installing the recovery console?

Let's try to finally remove the remnants of AVG.

Removing false AV notifications in WMI using wbemtest.exe

  • Click Start > Run then type wbemtest.exe into the Open: box, click OK
  • This will launch Windows Management Instrumentation Tester
    • Click on the Connect button.
    • In the box at the top, where it says root\default change it to say root\securitycenter then click Connect
    • Click on Enum Instances
    • In the box that opens, type antivirusproduct and click OK
    • A box will open with a list of the anti-virus programmes that WMI sees on your computer.
      • There should be only one there, click to highlight it, then click Delete
      • Click Close to close the Query box.
    • Exit out of Windows Management Instrumentation Tester

Reboot your computer.

DO NOT use the WMI Tester in any way other than the one described above. If you cannot find AVG for removal then just exit out of WMI Tester and let me know.

Any problems with the instructions I've given you then let me know.

Now please run a new scan with DDS and post only the contents of dds.txt
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Re: Fake_alert (resolved?) but not redirects

Unread postby phatkidd13 » June 7th, 2011, 8:42 am

When I ran ComboFix the first time in never prompted me to install the recovery console.

When following the directs above has two entries in antivirus products.
What would you like for me to delete?
phatkidd13
Regular Member
 
Posts: 23
Joined: May 18th, 2011, 12:19 pm

Re: Fake_alert (resolved?) but not redirects

Unread postby deltalima » June 7th, 2011, 8:51 am

Hi phatkidd13,

When following the directs above has two entries in antivirus products.
What would you like for me to delete?


Please double click on each entry in turn.

The object editor will appear.

Scroll down to instanceGUID and double click on it

There should be a string similar to {AD166499-45F9-482A-A743-FDD3350758C7} highlighted, right click and copy into your next reply then cancel back to the main screen.(for both listed products).
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Fake_alert (resolved?) but not redirects

Unread postby phatkidd13 » June 7th, 2011, 9:04 am

It didn't give me an option to right click and copy so I am just typing it in.
First Instance: (this one had a description of AVG Internet Security 2011)

instanceGuid CIM_STRING {17DDD097-36FF-435F-9E1B-52D74245D6BF}

Second Instance: (descition of Microsoft Security Essentials)
instanceGuid CIM_STRING {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
phatkidd13
Regular Member
 
Posts: 23
Joined: May 18th, 2011, 12:19 pm

Re: Fake_alert (resolved?) but not redirects

Unread postby deltalima » June 7th, 2011, 9:06 am

{17DDD097-36FF-435F-9E1B-52D74245D6BF} is the one to remove.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Fake_alert (resolved?) but not redirects

Unread postby phatkidd13 » June 7th, 2011, 9:28 am

Ir emoved the specified entry, rebooted and ran DDS again.
Here is the new DDS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 9:20:56.43 on Tue 06/07/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1119 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner.Davis1\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:50889
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Power2GoExpress] NA
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [CHotkey] mHotkey.exe
mRun: [ledpointer] CNYHKey.exe
mRun: [Showwnd] showwnd.exe
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"
mRun: [HelpCenter4.1] c:\program files\fastaccessdsl\helpcenter43\bin\sprtcmd.exe /P HelpCenter4.1
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SpybotSnD] "c:\program files\spybot sd\SpybotSD.exe" /autocheck /autoclose
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner~1.dav\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/Fac ... oader3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 8284702545
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/sh ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner~1.dav\applic~1\mozilla\firefox\profiles\3zqal4p5.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50889
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner.davis1\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-26 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-26 67656]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-1-1 10448]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-5-16 366640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2011-1-18 28672]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-9 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-4 22712]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2011-1-18 6942]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 dkab_device;dkab_device;c:\windows\system32\dkabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
S3 kbeepm;kbeepm;\??\c:\docume~1\owner~1.dav\locals~1\temp\kbeepm.sys --> c:\docume~1\owner~1.dav\locals~1\temp\kbeepm.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-16 39984]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-5-29 27064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-04 04:45:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-04 04:39:04 6962000 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{9edb6b49-1226-4cef-a601-a655dbe44ee0}\mpengine.dll
2011-06-04 04:39:04 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-04 04:33:44 -------- d-----w- c:\program files\Microsoft Security Client
2011-06-04 03:41:41 -------- d-s---w- C:\ComboFix
2011-06-02 11:48:01 -------- d-----w- c:\program files\common files\xing shared
2011-06-01 23:37:01 -------- d-----w- C:\AVGTemp
2011-05-29 12:38:53 -------- d-----w- c:\docume~1\owner~1.dav\locals~1\applic~1\VS Revo Group
2011-05-29 12:38:45 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-05-29 12:38:43 -------- d-----w- c:\program files\VS Revo Group
2011-05-25 19:19:16 -------- d-----w- c:\program files\iTunes
2011-05-25 19:17:02 -------- d-----w- c:\program files\Bonjour
2011-05-16 14:22:28 -------- d-----w- c:\docume~1\owner~1.dav\applic~1\Malwarebytes
2011-05-16 14:22:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 14:22:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-05-16 14:22:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-08 23:01:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\cI06511JfCkK06511
2011-05-08 21:27:07 -------- d-----w- c:\windows\PIF
2011-05-08 21:24:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Radialpoint
2011-05-08 19:17:53 -------- d-----w- c:\program files\ATT-HSI
.
==================== Find3M ====================
.
2011-06-02 11:47:42 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-06-02 11:47:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-13 04:44:44 0 ----a-w- c:\windows\Bfusejejifigo.bin
2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 06:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-03-08 22:21:24 963072 -c--a-w- c:\program files\RhapsodyPlayerEngine.msi
.
============= FINISH: 9:22:17.48 ===============
phatkidd13
Regular Member
 
Posts: 23
Joined: May 18th, 2011, 12:19 pm

Re: Fake_alert (resolved?) but not redirects

Unread postby deltalima » June 7th, 2011, 9:29 am

That looks better, now run Combofix
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Fake_alert (resolved?) but not redirects

Unread postby phatkidd13 » June 7th, 2011, 11:14 am

ComboFix completed its run: Here is the log:

ComboFix 11-06-06.07 - Owner 06/07/2011 11:01:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1391 [GMT -4:00]
Running from: c:\documents and settings\Owner.Davis1\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner.Davis1\Application Data\Adobe\plugs
c:\documents and settings\Owner.Davis1\Application Data\Adobe\plugs\mmc158
c:\documents and settings\Owner.Davis1\Application Data\Adobe\shed
c:\documents and settings\Owner.Davis1\HCUpgrade3.1.exe
c:\documents and settings\Owner.Davis1\Local Settings\Application Data\{26B72F76-F836-433D-9521-11E2CA27B21D}
c:\documents and settings\Owner.Davis1\Local Settings\Application Data\{26B72F76-F836-433D-9521-11E2CA27B21D}\chrome.manifest
c:\documents and settings\Owner.Davis1\Local Settings\Application Data\{26B72F76-F836-433D-9521-11E2CA27B21D}\chrome\content\_cfg.js
c:\documents and settings\Owner.Davis1\Local Settings\Application Data\{26B72F76-F836-433D-9521-11E2CA27B21D}\chrome\content\overlay.xul
c:\documents and settings\Owner.Davis1\Local Settings\Application Data\{26B72F76-F836-433D-9521-11E2CA27B21D}\install.rdf
c:\documents and settings\Owner.Davis1\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\Update.bat
c:\windows\XSxS
D:\Autorun.inf
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-05-07 to 2011-06-07 )))))))))))))))))))))))))))))))
.
.
2011-06-04 04:45 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-04 04:39 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-04 04:39 . 2011-05-24 23:12 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9EDB6B49-1226-4CEF-A601-A655DBE44EE0}\mpengine.dll
2011-06-04 04:33 . 2011-06-04 04:34 -------- d-----w- c:\program files\Microsoft Security Client
2011-06-02 11:48 . 2011-06-02 11:48 -------- d-----w- c:\program files\Common Files\xing shared
2011-06-01 23:37 . 2011-06-01 23:37 -------- d-----w- C:\AVGTemp
2011-05-29 12:38 . 2011-05-29 12:38 -------- d-----w- c:\documents and settings\Owner.Davis1\Local Settings\Application Data\VS Revo Group
2011-05-29 12:38 . 2009-12-30 15:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-05-29 12:38 . 2011-05-29 12:38 -------- d-----w- c:\program files\VS Revo Group
2011-05-28 04:31 . 2011-05-28 04:31 -------- d-----w- c:\program files\Common Files\Java
2011-05-25 19:19 . 2011-05-25 19:19 -------- d-----w- c:\program files\iTunes
2011-05-25 19:17 . 2011-05-25 19:17 -------- d-----w- c:\program files\Bonjour
2011-05-16 14:22 . 2011-05-16 14:22 -------- d-----w- c:\documents and settings\Owner.Davis1\Application Data\Malwarebytes
2011-05-16 14:22 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 14:22 . 2011-05-16 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-16 14:22 . 2011-06-04 04:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-08 23:01 . 2011-05-13 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\cI06511JfCkK06511
2011-05-08 21:27 . 2011-05-08 21:27 -------- d-----w- c:\windows\PIF
2011-05-08 21:24 . 2011-05-08 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
2011-05-08 19:25 . 2011-05-08 22:05 -------- d-----w- c:\documents and settings\Owner.Davis1\Application Data\Motive
2011-05-08 19:17 . 2011-05-08 19:17 -------- d-----w- c:\program files\ATT-HSI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 11:47 . 2004-08-02 13:12 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-06-02 11:47 . 2003-08-13 01:17 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-14 09:07 . 2010-06-07 23:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 06:40 . 2010-06-07 23:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-02 05:03 . 2007-03-06 07:00 45200 ----a-w- c:\windows\system32\drivers\pxhelp20.sys
2008-03-08 22:21 . 2008-03-08 22:19 963072 -c--a-w- c:\program files\RhapsodyPlayerEngine.msi
2011-05-03 14:08 . 2011-04-21 12:18 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-02 2424192]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"CHotkey"="mHotkey.exe" [2004-12-08 550912]
"ledpointer"="CNYHKey.exe" [2005-11-10 5585408]
"Showwnd"="showwnd.exe" [2003-09-19 36864]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"HelpCenter4.1"="c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe" [2007-04-13 198184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 16010752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-02 273544]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Owner.Davis1\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-12 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-16 18:53 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner.Davis1^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Owner.Davis1\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 16:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 08:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-02 23:19 77312 ------w- c:\windows\arpwrmsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 03:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
2006-03-06 17:48 286720 ----a-w- c:\program files\Lexmark 2400 Series\lxcrmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 17:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Khowupeyegu"=rundll32.exe "c:\windows\urapibanovekeg.dll",Startup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\DKabcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1220578120\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/26/2008 6:35 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/26/2008 6:35 PM 67656]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [1/1/2011 12:58 PM 10448]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/16/2011 10:22 AM 366640]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1/18/2011 9:33 PM 28672]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/9/2008 12:26 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/4/2011 12:45 AM 22712]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [1/18/2011 9:33 PM 6942]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
S3 kbeepm;kbeepm;\??\c:\docume~1\OWNER~1.DAV\LOCALS~1\Temp\kbeepm.sys --> c:\docume~1\OWNER~1.DAV\LOCALS~1\Temp\kbeepm.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/16/2011 10:22 AM 39984]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [5/29/2011 8:38 AM 27064]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-06-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-06-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3548477272-2704172136-29649938-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-06-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3548477272-2704172136-29649938-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:50889
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{506B92FB-A770-49DE-B465-8EA15A95D517}: DhcpNameServer = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Owner.Davis1\Application Data\Mozilla\Firefox\Profiles\3zqal4p5.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50889
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SpybotSnD - c:\program files\Spybot SD\SpybotSD.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-MSN Toolbar - c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-06-07 11:10:20
ComboFix-quarantined-files.txt 2011-06-07 15:10
.
Pre-Run: 243,274,928,128 bytes free
Post-Run: 243,441,463,296 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - B154108D4592FA496B84B88863D8B5F7
phatkidd13
Regular Member
 
Posts: 23
Joined: May 18th, 2011, 12:19 pm

Re: Fake_alert (resolved?) but not redirects

Unread postby deltalima » June 7th, 2011, 1:15 pm

Hi phatkidd13,

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    killallprocesses
    :otl
    IE - HKU\S-1-5-21-3548477272-2704172136-29649938-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50889 
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. 
    O3 - HKU\S-1-5-21-3548477272-2704172136-29649938-1006\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
    O3 - HKU\S-1-5-21-3548477272-2704172136-29649938-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found. 
    O4 - HKLM..\Run: [KernelFaultCheck] File not found 
    O4 - HKLM..\Run: [SpybotSnD] File not found 
    O4 - HKU\S-1-5-21-3548477272-2704172136-29649938-1006..\Run: [Power2GoExpress] File not found 
    :commands
    [EMPTYTEMP]
    [EMPTYFLASH]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Now run a quick scan with Malwarebytes and post the log in your next reply.

Please let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Fake_alert (resolved?) but not redirects

Unread postby phatkidd13 » June 7th, 2011, 6:35 pm

Everything ran fine.
MBAM found an issue.
Here is the OTL Log:
All processes killed
========== PROCESSES ==========
========== OTL ==========
HKU\S-1-5-21-3548477272-2704172136-29649938-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-3548477272-2704172136-29649938-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1017A80C-6F09-4548-A84D-EDD6AC9525F0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}\ not found.
Registry value HKEY_USERS\S-1-5-21-3548477272-2704172136-29649938-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotSnD not found.
Registry value HKEY_USERS\S-1-5-21-3548477272-2704172136-29649938-1006\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users
->Flash cache emptied: 178 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner

User: Owner.Davis1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6484782 bytes
->Java cache emptied: 52555137 bytes
->FireFox cache emptied: 49726856 bytes
->Flash cache emptied: 30437 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 5258257 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 255 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33350 bytes
RecycleBin emptied: 141576 bytes

Total Files Cleaned = 109.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

User: Owner

User: Owner.Davis1
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 06072011_153813

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


Here is the MBAM Log:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6795

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/7/2011 6:28:13 PM
mbam-log-2011-06-07 (18-27-53).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 318454
Time elapsed: 56 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{4e015214-6bb0-4181-b365-456cf1dec069}\RP1217\A0131450.sys (Rootkit.Patch) -> No action taken.


As I have not yet removed the infected file, please advise on any further action.
Thank you.
phatkidd13
Regular Member
 
Posts: 23
Joined: May 18th, 2011, 12:19 pm

Re: Fake_alert (resolved?) but not redirects

Unread postby deltalima » June 8th, 2011, 2:32 am

Hi phatkidd13,

As I have not yet removed the infected file, please advise on any further action.


That file is in the system restore are and we will clear that out below.

Now that you are clean, please follow these steps in order to keep your computer clean and secure.

Remove GMER

Delete the GMER icon from your desktop.

Uninstall ComboFix

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK

Clean up with OTL

  • Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Create a new, clean System Restore point which you can use in case of future system problems:
  • Press Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Next click Start >> Run and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Yes to confirm

Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

Here are some additional utilities that will enhance your safety


Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Fake_alert (resolved?) but not redirects

Unread postby phatkidd13 » June 8th, 2011, 9:11 am

After removing the Fake_alert, I unhide all the folders so that they could be found,
but when going to Start, All programs-it will show the programs, but anything was installed prior to the infection shows the program as "(Empty)" when placing the pointer over the program.
Thusly when trying to create a new restore point under System Tools it shows onlt Internet Explorer and nothing else.
Is there a way to restore them?
phatkidd13
Regular Member
 
Posts: 23
Joined: May 18th, 2011, 12:19 pm

Re: Fake_alert (resolved?) but not redirects

Unread postby deltalima » June 8th, 2011, 9:31 am

Hi phatkidd13,

Is there a way to restore them?


Unfortunately there is no quick way, the infection has removed them.

The fix is a manual one, you need to use a working computer and examine the start menu. For each icon, right click and make a note of the properties.

Next, on the affected computer, recreate all the icons by creating new ones and setting the properties the same as the ones you copied from the good computer.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Fake_alert (resolved?) but not redirects

Unread postby deltalima » June 9th, 2011, 11:58 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 297 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware