Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE redirects and pop-ups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: IE redirects and pop-ups

Unread postby askey127 » July 24th, 2010, 2:55 pm

tblue,
There was an infected file left over.
Checking for anything else:
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVG
    Please open the AVG Control Center, by right clicking on the AVG icon in the task bar.
    • Click on Tools.
    • Select Advanced.
    • In the left hand pane, scroll down to "Resident Shield".
    • In the main pane, DESELECT the option to "Enable Resident Shield."
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy of the log will be located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Re: IE redirects and pop-ups

Unread postby tblue » July 24th, 2010, 10:06 pm

ComboFix Results:

ComboFix 10-07-24.01 - Toby Blue 07/24/2010 20:52:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.707 [GMT -5:00]
Running from: c:\documents and settings\Toby Blue\Desktop\zzz.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-24 19:43 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-20 18:18 . 2002-01-16 16:51 8 ------w- C:\url.bat
2010-07-20 17:06 . 2008-02-20 19:56 86016 ----a-w- c:\windows\uninstalllucentclient.exe
2010-07-20 17:06 . 2008-02-20 19:55 320768 ----a-w- c:\windows\system32\drivers\luipsec.sys
2010-07-20 17:06 . 2007-11-05 21:13 38968 ----a-w- c:\windows\system32\luinst.dll
2010-07-20 16:28 . 2010-07-20 17:08 -------- d-----w- c:\program files\IPSec Client
2010-07-18 04:02 . 2010-07-18 04:02 -------- d-----w- C:\rsit
2010-07-18 03:53 . 2010-07-18 03:53 -------- d-----w- c:\program files\Common Files\Java
2010-07-18 03:53 . 2010-07-18 03:53 503808 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-428751b4-n\msvcp71.dll
2010-07-18 03:53 . 2010-07-18 03:53 499712 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-428751b4-n\jmc.dll
2010-07-18 03:53 . 2010-07-18 03:53 348160 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-428751b4-n\msvcr71.dll
2010-07-18 03:53 . 2010-07-18 03:53 61440 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7abb8a3b-n\decora-sse.dll
2010-07-18 03:53 . 2010-07-18 03:53 12800 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7abb8a3b-n\decora-d3d.dll
2010-07-18 03:53 . 2010-07-18 03:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-18 02:00 . 2010-07-22 07:32 -------- d-----w- c:\windows\system32\NtmsData
2010-07-18 01:57 . 2010-07-18 01:57 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\Avira
2010-07-18 01:51 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-07-18 01:51 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-18 01:51 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-07-18 01:51 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-07-18 01:51 . 2010-07-18 01:51 -------- d-----w- c:\program files\Avira
2010-07-18 01:51 . 2010-07-18 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-07-16 02:56 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-16 02:56 . 2010-07-16 02:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-16 02:56 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-16 02:24 . 2010-07-16 02:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-13 01:17 . 2010-07-18 04:28 -------- d-----w- c:\program files\Trend Micro
2010-07-13 01:17 . 2010-07-13 01:17 388096 ----a-r- c:\documents and settings\Toby Blue\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-12 20:02 . 2010-07-22 10:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-12 05:19 . 2010-07-12 05:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-08 08:12 . 2010-07-08 08:12 -------- d-----w- C:\VundoFix Backups
2010-07-06 16:11 . 2010-07-06 17:10 -------- d-----w- c:\documents and settings\Toby Blue\Local Settings\Application Data\hatvdwocx
2010-07-06 01:42 . 2010-07-06 01:42 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\Malwarebytes
2010-07-06 01:42 . 2010-07-06 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-30 22:16 . 2010-07-16 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-30 08:46 . 2010-06-30 08:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-29 21:41 . 2010-06-29 21:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 01:26 . 2009-03-02 01:07 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-24 14:26 . 2001-08-23 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-07-20 18:36 . 2009-01-30 15:40 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\VMware
2010-07-20 18:18 . 2009-01-28 17:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 18:17 . 2009-01-29 18:48 -------- d-----w- c:\program files\AR System
2010-07-20 17:42 . 2009-01-28 22:20 51592 ----a-w- c:\documents and settings\Toby Blue\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-20 15:35 . 2009-01-29 04:26 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\Skype
2010-07-20 15:33 . 2009-01-29 04:28 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\skypePM
2010-07-18 03:44 . 2009-01-29 02:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-18 01:39 . 2009-01-28 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-18 01:34 . 2009-02-03 22:03 -------- d-----w- c:\program files\Java
2010-07-12 00:05 . 2010-06-11 16:57 -------- d-----w- c:\program files\Lx_cats
2010-06-14 14:31 . 2009-01-28 05:10 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-11 17:02 . 2010-06-11 17:02 423464 ----a-w- c:\documents and settings\Toby Blue\Application Data\E-centives\BSTIEPrintCtl1.dll
2010-06-11 17:02 . 2010-06-11 17:02 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\E-centives
2010-06-05 14:28 . 2009-09-30 18:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 00:54 . 2010-06-01 00:54 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-01 00:53 . 2009-07-25 10:09 -------- d-----w- c:\program files\Essentials Codec Pack
2010-06-01 00:52 . 2009-01-31 11:26 -------- d-----w- c:\program files\DivX
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\System32\WLTRAY" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-05 3900936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
IPSecClient Icon.lnk - c:\program files\IPSec Client\trayicon.exe [2010-7-20 675840]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AR System\\HOME\\ALPrograms\\wget.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [11/21/2008 3:37 AM 64480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/17/2010 8:51 PM 135336]
R3 LuIPSec;Alcatel-Lucent VPN Miniport;c:\windows\system32\drivers\luipsec.sys [7/20/2010 12:06 PM 320768]
S2 LucentIKE;LucentIKE;c:\program files\IPSec Client\lucentikesvc.exe [7/20/2010 12:06 PM 147456]
S3 B-Service;B-Service;c:\documents and settings\Toby Blue\Application Data\Mikogo\B-Service.exe [1/14/2010 4:43 PM 185640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Office Communicator 2005]
2008-01-10 17:11 516608 ----a-w- c:\windows\Installer\Microsoft Office Communicator 2005\AFTER.EXE
.
Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: hrsaccount.com\www
TCP: {989F1E28-47E8-497E-A3A3-31F0D5FAC1B5} = 208.67.220.220,208.67.222.222
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/ ... emLite.CAB
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 20:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-24 21:00:25
ComboFix-quarantined-files.txt 2010-07-25 02:00

Pre-Run: 23,127,429,120 bytes free
Post-Run: 23,695,376,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - C2BD2CE7A29137EEB1B2C6C44578F2CC
tblue
Regular Member
 
Posts: 32
Joined: August 2nd, 2007, 5:14 pm
Location: North Carolina

Re: IE redirects and pop-ups

Unread postby askey127 » July 25th, 2010, 6:46 am

tblue,
I am not seeing anything else now.
Sorry for the AVG instruction instead of Antivir. Glad you took care of it.
Be sure to re-enable Antivir, if you haven't already.
Are you still getting redirects, or is the machine behaving normally?
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: IE redirects and pop-ups

Unread postby tblue » July 25th, 2010, 4:04 pm

Machine appears to be normal. I have Antivir enabled and will update it regularly. What else would you suggest to prevent this from happening again? What other programs should I run and how often? Are Antivir and Malwarybytes sufficient? Thanks.
tblue
Regular Member
 
Posts: 32
Joined: August 2nd, 2007, 5:14 pm
Location: North Carolina

Re: IE redirects and pop-ups

Unread postby askey127 » July 26th, 2010, 7:14 am

tblue,
A new HOSTS file will protect you from accidentally contacting thousands of malicious websites.
I would update Malwarebytes' Antimalware and scan with it about once a week or so.
-----------------------------------------------------------
Replace the Current HOSTS File with MVPs
You can read about HOSTS files here : http://www.mvps.org/winhelp2002/hosts.htm

  • Disable DNS Client Service. This is necessary when installing a large HOSTS file to avoid startup delays.
    From Start, or Start, Run
    Type services.msc in the box and hit <Enter>
    Give permission to continue if necessary.
    Scroll down to DNS Client on the list, Right Click it and choose Properties.
    Under Service Status, click Stop. Wait until it reports the service stopped.
    Under Startup Type, choose Disabled.
    Then click Apply, OK

  • Use HostsXpert to Install the HOSTS File
    Download HostsXpert and unzip (extract) it to your computer, somewhere where you can find it.
    • Double click on HostsXpert.exe to launch the program. Give whatever Permissions are required.
    • In the bottom half of the left pane, click on File Handling
    • If the first button at the top is labeled Make Writeable?, click on it so the label changes to Make Read Only
    • Click third button from the bottom, labeled Download. A couple new buttons will appear at the top.
    • Click on the top button labeled MVPs Hosts and choose Replace
    • When asked to verify if you want to Replace present Hosts file, click OK.
    • When it finishes, click on File Handling again.
    • Click the button at the top labeled Make Read Only, so the label changes to Make Writeable?
    • Hit the X in the upper right corner to exit HostsXpert
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system.
-----------------------------------------------------------
Reset System Restore Points
  • Click Start > Help and Support
  • Click on ->Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  • Close Help and Support Center.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.

You should be good to go.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: IE redirects and pop-ups

Unread postby tblue » July 28th, 2010, 2:43 am

Thanks, I'll try to get these last steps done soon. Couple of questions: Did the Rootkit.Win32 get cleared up by the TDSSkiller or combofix? I assumed that since TDSSkiller found the problem that it cured it. If so, what was the issue combofix corrected? Just curious...but other than that I think I'm good to go like you said. Many, many thanks to you.
tblue
Regular Member
 
Posts: 32
Joined: August 2nd, 2007, 5:14 pm
Location: North Carolina

Re: IE redirects and pop-ups

Unread postby askey127 » July 28th, 2010, 7:11 am

tblue,
The TDSS rootkit causes legitimate system files to be replaced with infected ones of the same name.
When Gmer was run it did not pick up the symptoms for a TDSS rootkit itself.
There was an infected file on your system, stated to be related to a TDSS rootkit, that was missed by other scanners, but was detected and replaced by TDSSKiller. ( I had never seen that particular file infected before). There was an additional infected file detected and removed by ComboFix.
Combofix also installed the recovery Console which might be of help in any future repair.
It may be that you had the TDSS rootkit at one time, and that it was removed, but some infected files were left behind.
The Microsoft Malicious software removal tool (part of Microsoft updates) could have removed the rootkit.

You should delete TDSSKiller and ComboFix (zzz.exe) from your desktop.
Good job.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: IE redirects and pop-ups

Unread postby tblue » July 29th, 2010, 2:17 am

Thanks so much for all your help.
tblue
Regular Member
 
Posts: 32
Joined: August 2nd, 2007, 5:14 pm
Location: North Carolina

Re: IE redirects and pop-ups

Unread postby askey127 » July 29th, 2010, 7:26 am

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 299 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware