Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware removal help please .. blinkx

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware removal help please .. blinkx

Unread postby gmaddockgreene » December 16th, 2009, 4:17 pm

Hi Guys and thank you in advance for any assistance offered.

I appear to have a 'Blinkx' redirect Trojan virus on my laptop. Navigating to Google and to known website urls is fine, but links from Google SERPS just re-direct me to Blinkx sites. Here are my HiJackThis and Unistall logs as requested.

I am running Wondow 7 .. all latest patches and latest JAVA.

As you can see Avast Anti-Virus is running.

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:06:11, on 16/12/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.york.ac.uk/np/students.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4666 bytes

Uninstall File:

Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
avast! Antivirus
CCleaner
HijackThis 2.0.2
Malwarebytes' Anti-Malware
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Mozilla Firefox (3.5.5)
MSVCRT
OGA Notifier 2.0.0048.0
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
SUPERAntiSpyware Free Edition
TweetDeck
TweetDeck
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb976884)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool

Again many thanks for your help.

Gary
gmaddockgreene
Active Member
 
Posts: 10
Joined: December 16th, 2009, 4:01 pm
Advertisement
Register to Remove

Re: Malware removal help please .. blinkx

Unread postby Blade81 » December 23rd, 2009, 5:15 pm

Hi Gary,

Does the redirecting issue occur in both Firefox and Internet Explorer browser?

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Malware removal help please .. blinkx

Unread postby gmaddockgreene » December 24th, 2009, 5:13 am

Hello and thanks for your help.

Yes the redirection is happening in both firefox and IE8. The log, as requested is:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-24 09:11:10
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\GMADDO~1\AppData\Local\Temp\fxryakog.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A313F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1A2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A19898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A311DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A316F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A321A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A91579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91224000, 0x2D5378, 0xE8000020]
.text peauth.sys 98D6AC9D 28 Bytes [1E, C7, AB, 5F, B5, 7F, 10, ...]
.text peauth.sys 98D6ACC1 28 Bytes [1E, C7, AB, 5F, B5, 7F, 10, ...]
PAGE peauth.sys 98D7102C 102 Bytes [41, 2E, 60, 99, 33, 3B, 1D, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 9A16A000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 9A16A123 629 Bytes [55, 16, 9A, FE, 05, 34, 55, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 9A16A399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F 9A16A3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B 9A16A4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[1752] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1752] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1752] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1752] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2868] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2868] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2868] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2868] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [74F75D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
gmaddockgreene
Active Member
 
Posts: 10
Joined: December 16th, 2009, 4:01 pm

Re: Malware removal help please .. blinkx

Unread postby Blade81 » December 24th, 2009, 6:55 am

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Malware removal help please .. blinkx

Unread postby gmaddockgreene » December 24th, 2009, 9:10 am

Hi .. thanks for your advice ... however I am running Wiondows 7 and Combofix advises me not to use combofix as it is beta only for Windows 7. Any further suggestions as to how to proceed please.

Thanks Gary
gmaddockgreene
Active Member
 
Posts: 10
Joined: December 16th, 2009, 4:01 pm

Re: Malware removal help please .. blinkx

Unread postby Blade81 » December 24th, 2009, 9:58 am

Hi,

Just let it run there :)
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Malware removal help please .. blinkx

Unread postby gmaddockgreene » December 26th, 2009, 9:28 am

Hi, the combofix green status bar runs at installation but then nothing happens. I have left the computer running overnight in case something is happening in the back ground, but nothing. It doesn't seem to run on my Windows 7 installation!!

Thanks again.
gmaddockgreene
Active Member
 
Posts: 10
Joined: December 16th, 2009, 4:01 pm

Re: Malware removal help please .. blinkx

Unread postby Blade81 » December 26th, 2009, 9:32 am

Hi,

Reboot the system and try to run ComboFix renamed. Let me know how it goes.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Malware removal help please .. blinkx

Unread postby gmaddockgreene » December 26th, 2009, 10:04 am

Hi .. thank for the advice. OK I have the log now ...

ComboFix 09-12-25.04 - gmaddockgreene 26/12/2009 13:50:03.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.3067.2236 [GMT 0:00]
Running from: c:\users\gmaddockgreene\Desktop\ComboFix2.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-26 13:55 . 2009-12-26 13:55 -------- d-----w- c:\users\gmaddockgreene\AppData\Local\temp
2009-12-26 13:55 . 2009-12-26 13:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-16 19:57 . 2009-12-16 20:05 -------- d-----w- c:\program files\trend micro
2009-12-16 19:57 . 2009-12-16 19:57 -------- d-----w- C:\rsit
2009-12-16 18:46 . 2009-12-16 19:23 144995 ----a-w- C:\MGlogs.zip
2009-12-16 18:39 . 2009-12-16 19:23 -------- d-----w- C:\MGtools
2009-12-16 18:16 . 2009-12-16 18:16 -------- d-----w- c:\users\gmaddockgreene\AppData\Roaming\Malwarebytes
2009-12-16 18:16 . 2009-12-16 18:16 -------- d-----w- c:\programdata\Malwarebytes
2009-12-15 23:20 . 2009-12-15 23:20 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-15 23:20 . 2009-12-21 20:09 -------- d-----w- c:\users\gmaddockgreene\AppData\Roaming\SUPERAntiSpyware.com
2009-12-15 23:20 . 2009-12-21 20:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 23:16 . 2009-12-15 23:16 2385267 ----a-w- C:\MGtools.exe
2009-12-15 22:44 . 2009-12-15 22:44 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-12-11 17:40 . 2009-12-11 17:40 -------- d-----w- c:\users\gmaddockgreene\AppData\Local\ElevatedDiagnostics
2009-12-10 09:21 . 2009-12-10 09:21 108032 --sha-r- c:\windows\system32\ucmhcg.dll
2009-12-09 09:07 . 2009-12-26 13:46 -------- d-----w- c:\users\gmaddockgreene\Tracing
2009-12-09 08:58 . 2009-12-09 08:58 -------- d-----w- c:\program files\Microsoft
2009-12-09 08:58 . 2009-12-09 08:58 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-09 08:57 . 2009-12-09 08:58 -------- d-----w- c:\program files\Windows Live
2009-12-09 08:49 . 2009-12-09 08:49 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 12:32 . 2009-12-26 12:32 -------- d-----w- c:\program files\DIFX
2009-12-26 12:32 . 2009-12-26 12:32 -------- d-----w- c:\program files\Garmin
2009-12-26 10:48 . 2009-12-26 10:48 -------- d-----w- c:\users\gmaddockgreene\AppData\Roaming\GARMIN
2009-12-22 20:10 . 2009-10-24 13:15 108824 ----a-w- c:\users\gmaddockgreene\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-15 22:03 . 2009-10-23 18:43 -------- d-----w- c:\programdata\Microsoft Help
2009-12-15 22:01 . 2009-10-23 18:47 -------- d-----w- c:\program files\Microsoft Works
2009-11-24 23:54 . 2009-10-24 10:46 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:49 . 2009-10-24 10:46 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-10-24 10:46 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-10-24 10:46 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-05 12:26 . 2009-12-26 10:48 11221864 ----a-w- c:\users\gmaddockgreene\AppData\Roaming\Mozilla\Firefox\Profiles\7wpimjhv.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
2009-11-02 20:42 . 2009-10-23 17:00 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:22 . 2009-11-25 19:58 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-28 20:10 . 2009-10-28 20:10 -------- d-----w- c:\programdata\Hewlett-Packard
2009-10-25 20:01 . 2009-10-25 20:03 38208 ----a-w- c:\users\gmaddockgreene\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-25 20:01 . 2009-10-25 20:03 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-23 17:28 . 2009-10-23 17:28 0 ----a-w- c:\windows\nsreg.dat
2009-10-23 13:50 . 2009-10-23 13:50 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-02 04:06 . 2009-10-23 16:58 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2009-07-30 11017728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\users\gmaddockgreene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [24/10/2009 10:46 114768]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [18/08/2009 01:36 176128]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [24/10/2009 10:46 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [24/10/2009 10:46 53328]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [13/07/2009 22:02 229888]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\netw5v32.sys [10/06/2009 21:18 4231168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.york.ac.uk/np/students.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\gmaddockgreene\AppData\Roaming\Mozilla\Firefox\Profiles\7wpimjhv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.york.ac.uk/np/students.htm
FF - plugin: c:\users\gmaddockgreene\AppData\Roaming\Mozilla\Firefox\Profiles\7wpimjhv.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2009-12-26 13:59:55
ComboFix-quarantined-files.txt 2009-12-26 13:59

Pre-Run: 171,343,151,104 bytes free
Post-Run: 171,272,024,064 bytes free

- - End Of File - - CB89D56BB855A830C3AEBF9103FD9909
gmaddockgreene
Active Member
 
Posts: 10
Joined: December 16th, 2009, 4:01 pm

Re: Malware removal help please .. blinkx

Unread postby Blade81 » December 26th, 2009, 11:27 am

Hi,

Start MBAM, update its definitions on update tab and run a quick scan (let it delete found items). Post back the report.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=48129
Collect::
c:\windows\system32\ucmhcg.dll
Reboot::



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix2.exe (have internet connection enabled during ComboFix run).
Then post the resultant log. Is the redirecting still occuring?
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Malware removal help please .. blinkx

Unread postby gmaddockgreene » December 26th, 2009, 12:38 pm

Hi ..it appears to have done the trick!! The Re-direct seems to have been removed. For completenesss here are the logs requested:

MBAM LOG:

Malwarebytes' Anti-Malware 1.42
Database version: 3434
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

26/12/2009 16:10:22
mbam-log-2009-12-26 (16-10-22).txt

Scan type: Quick Scan
Objects scanned: 99154
Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and ...

ComboFix 09-12-25.05 - gmaddockgreene 26/12/2009 16:18:05.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.3067.2369 [GMT 0:00]
Running from: c:\users\gmaddockgreene\Desktop\ComboFix2.exe
Command switches used :: c:\users\gmaddockgreene\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ucmhcg.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-26 16:23 . 2009-12-26 16:25 -------- d-----w- c:\users\gmaddockgreene\AppData\Local\temp
2009-12-26 16:23 . 2009-12-26 16:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-26 16:23 . 2009-12-26 16:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-26 16:16 . 2009-12-26 16:17 -------- d-----w- C:\32788R22FWJFW
2009-12-26 16:00 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 16:00 . 2009-12-26 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 16:00 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 12:32 . 2009-12-26 12:32 -------- d-----w- c:\program files\DIFX
2009-12-26 12:32 . 2009-12-26 12:32 -------- d-----w- c:\program files\Garmin
2009-12-26 10:55 . 2007-09-06 15:53 18944 ----a-w- c:\windows\system32\drivers\SiLib.sys
2009-12-26 10:55 . 2007-09-06 15:53 14848 ----a-w- c:\windows\system32\drivers\DSI_SiUSBXp_3_1.sys
2009-12-26 10:55 . 2009-12-26 10:55 -------- d-----w- C:\Garmin
2009-12-26 10:48 . 2009-12-26 10:48 -------- d-----w- c:\users\gmaddockgreene\AppData\Roaming\GARMIN
2009-12-16 19:57 . 2009-12-16 20:05 -------- d-----w- c:\program files\trend micro
2009-12-16 19:57 . 2009-12-16 19:57 -------- d-----w- C:\rsit
2009-12-16 18:46 . 2009-12-16 19:23 144995 ----a-w- C:\MGlogs.zip
2009-12-16 18:39 . 2009-12-16 19:23 -------- d-----w- C:\MGtools
2009-12-16 18:16 . 2009-12-16 18:16 -------- d-----w- c:\users\gmaddockgreene\AppData\Roaming\Malwarebytes
2009-12-16 18:16 . 2009-12-16 18:16 -------- d-----w- c:\programdata\Malwarebytes
2009-12-15 23:20 . 2009-12-15 23:20 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-15 23:20 . 2009-12-21 20:09 -------- d-----w- c:\users\gmaddockgreene\AppData\Roaming\SUPERAntiSpyware.com
2009-12-15 23:20 . 2009-12-21 20:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 23:16 . 2009-12-15 23:16 2385267 ----a-w- C:\MGtools.exe
2009-12-15 22:44 . 2009-12-15 22:44 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-12-11 17:40 . 2009-12-11 17:40 -------- d-----w- c:\users\gmaddockgreene\AppData\Local\ElevatedDiagnostics
2009-12-09 09:07 . 2009-12-26 16:25 -------- d-----w- c:\users\gmaddockgreene\Tracing
2009-12-09 08:58 . 2009-12-09 08:58 -------- d-----w- c:\program files\Microsoft
2009-12-09 08:58 . 2009-12-09 08:58 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-09 08:57 . 2009-12-09 08:58 -------- d-----w- c:\program files\Windows Live
2009-12-09 08:49 . 2009-12-09 08:49 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 20:10 . 2009-10-24 13:15 108824 ----a-w- c:\users\gmaddockgreene\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-15 22:03 . 2009-10-23 18:43 -------- d-----w- c:\programdata\Microsoft Help
2009-12-15 22:01 . 2009-10-23 18:47 -------- d-----w- c:\program files\Microsoft Works
2009-11-24 23:54 . 2009-10-24 10:46 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:49 . 2009-10-24 10:46 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-10-24 10:46 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-10-24 10:46 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-05 12:26 . 2009-12-26 10:48 11221864 ----a-w- c:\users\gmaddockgreene\AppData\Roaming\Mozilla\Firefox\Profiles\7wpimjhv.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
2009-11-02 20:42 . 2009-10-23 17:00 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:22 . 2009-11-25 19:58 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-28 20:10 . 2009-10-28 20:10 -------- d-----w- c:\programdata\Hewlett-Packard
2009-10-25 20:01 . 2009-10-25 20:03 38208 ----a-w- c:\users\gmaddockgreene\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-25 20:01 . 2009-10-25 20:03 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-23 17:28 . 2009-10-23 17:28 0 ----a-w- c:\windows\nsreg.dat
2009-10-23 13:50 . 2009-10-23 13:50 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-02 04:06 . 2009-10-23 16:58 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-12-26_13.55.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:55 . 2009-12-26 13:47 43376 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2009-12-26 16:26 43376 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-10-23 14:05 . 2009-12-26 13:47 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-23 14:05 . 2009-12-26 16:24 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-23 14:05 . 2009-12-26 13:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-23 14:05 . 2009-12-26 16:24 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2009-12-26 13:47 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2009-12-26 16:24 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-23 06:18 . 2009-12-26 16:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-23 06:18 . 2009-12-26 13:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-23 06:18 . 2009-12-26 16:03 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-23 06:18 . 2009-12-26 13:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-23 06:18 . 2009-12-26 13:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-23 06:18 . 2009-12-26 16:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-23 06:14 . 2009-12-26 16:26 7584 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3764732569-1577208905-500643143-1000_UserData.bin
- 2009-12-26 13:46 . 2009-12-26 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-26 13:46 . 2009-12-26 16:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-26 13:46 . 2009-12-26 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-26 13:46 . 2009-12-26 16:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-23 19:14 . 2009-12-26 15:57 256054 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:05 . 2009-12-26 14:01 650606 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2009-12-26 14:01 116000 c:\windows\System32\perfc009.dat
- 2009-07-14 02:03 . 2009-12-26 13:35 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2009-12-26 13:59 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2009-07-30 11017728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\users\gmaddockgreene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [24/10/2009 10:46 114768]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [18/08/2009 01:36 176128]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [24/10/2009 10:46 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [24/10/2009 10:46 53328]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [13/07/2009 22:02 229888]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\netw5v32.sys [10/06/2009 21:18 4231168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.york.ac.uk/np/students.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\gmaddockgreene\AppData\Roaming\Mozilla\Firefox\Profiles\7wpimjhv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.york.ac.uk/np/students.htm
FF - plugin: c:\users\gmaddockgreene\AppData\Roaming\Mozilla\Firefox\Profiles\7wpimjhv.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\rundll32.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2009-12-26 16:31:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 16:31
ComboFix2.txt 2009-12-26 13:59

Pre-Run: 171,317,547,008 bytes free
Post-Run: 171,257,729,024 bytes free

- - End Of File - - 84D33DE16075406E0840A36D21DE15CB
gmaddockgreene
Active Member
 
Posts: 10
Joined: December 16th, 2009, 4:01 pm

Re: Malware removal help please .. blinkx

Unread postby Blade81 » December 26th, 2009, 12:43 pm

Hi,

Please upload c:\qoobox\quarantine\c\windows\system32\ucmhcg.dll.vir file here. Kindly include a link to this topic there.

Let me know when that's been done.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Malware removal help please .. blinkx

Unread postby gmaddockgreene » December 26th, 2009, 12:57 pm

Thanks. That has been sent / posted as requested.

Gary
gmaddockgreene
Active Member
 
Posts: 10
Joined: December 16th, 2009, 4:01 pm

Re: Malware removal help please .. blinkx

Unread postby Blade81 » December 26th, 2009, 1:08 pm

Thanks Gary :)

Looks like it's time for the final steps then.

Let's uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Happy Holidays,
Blade 8)
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Malware removal help please .. blinkx

Unread postby gmaddockgreene » December 27th, 2009, 7:30 am

Excellent my friend. We seem to have nailed it. Thank you very much for your help and advice. Really appreciated.
Just one issue remaining though for me is that I cannot connect to www.windowsupdate.com.

All other browsing is fine. Seems strange .. unless the service is down!

When I go to www.windowsupdate.com I am redirected to http://test.update.microsoft.com/window ... fault.aspx

Gary :bigsmurf:
gmaddockgreene
Active Member
 
Posts: 10
Joined: December 16th, 2009, 4:01 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 269 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware