Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Some Google redirects, computer runs slow...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Some Google redirects, computer runs slow...

Unread postby melboy » November 5th, 2010, 12:18 pm

Hi

ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop

  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How To Temporarily disable your security applications

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning:
Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: Some Google redirects, computer runs slow...

Unread postby rickhavoc » November 5th, 2010, 6:07 pm

Here's the Combofix log:

ComboFix 10-11-05.05 - rickhavoc 11/05/2010 14:48:40.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1671 [GMT -7:00]
Running from: c:\documents and settings\rickhavoc\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Microsoft
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job

.
((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
.

2010-11-05 19:24 . 2010-11-05 19:24 119808 ----a-w- c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
2010-10-27 00:32 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-27 00:31 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 21:58 . 2010-10-12 21:58 81920 ----a-w- c:\windows\system32\cb.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2009-04-22 18:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-04-22 18:51 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-04-22 18:51 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-04-22 18:51 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2009-04-22 18:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2009-04-22 18:51 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2009-04-22 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2009-04-22 18:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 15:57 . 2009-04-22 18:51 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2009-04-22 18:51 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2009-04-22 18:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2009-04-22 18:52 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2009-04-22 18:52 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2009-04-22 18:52 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-09-13 15:35 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2009-04-22 18:51 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2009-04-22 18:52 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2009-04-22 18:52 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-11-05 19:24 . 2010-11-05 19:24 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-11-05 30192]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-10-17 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-18 3168216]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\rickhavoc\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [9/12/2009 12:42 PM 233136]
R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [9/12/2009 12:07 PM 24576]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [9/12/2009 12:42 PM 88040]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [9/12/2009 12:41 PM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [9/12/2009 12:41 PM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [9/12/2009 12:41 PM 115216]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/22/2009 11:18 AM 1684736]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/22/2009 11:30 AM 30192]
S3 Normandy;Normandy SR2; [x]
S3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [9/12/2009 12:41 PM 32680]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/5/2010 5:35 PM 112592]
S4 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.emachines.com/rdr.aspx? ... 9&m=el1600
mStart Page = hxxp://homepage.emachines.com/rdr.aspx? ... 9&m=el1600
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\rickhavoc\Application Data\Mozilla\Firefox\Profiles\8kd3hzl4.default\
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-eRecoveryService - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-CTFMON - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-05 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600AAJS-22L7A0 rev.01.03E01 -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-6 -> \??\IDE#DiskWDC_WD1600AAJS-22L7A0___________________01.03E01#5&148c697d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DA7292
user & kernel MBR OK

Registry trace:
called modules: ntkrnlpa.exe hal.dll

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\WININET.dll
.
Completion time: 2010-11-05 15:00:06
ComboFix-quarantined-files.txt 2010-11-05 22:00

Pre-Run: 129,332,998,144 bytes free
Post-Run: 129,293,508,608 bytes free

- - End Of File - - BFA11DABB6177E5379238F68035B8647
rickhavoc
Regular Member
 
Posts: 31
Joined: October 29th, 2010, 1:32 am

Re: Some Google redirects, computer runs slow...

Unread postby melboy » November 5th, 2010, 7:56 pm

Hi

Can you give me an update on how the computer is running after following the instructions below.



Check a file

  • Go to VirusTotal
    C:\WINDOWS\system32\cb.exe
  • Click Browse... & the Choose a file to upload dialogue box will open.
  • Copy/Paste the file above into the white File name: box and click open
  • Click Send File, and the file will upload to VirusTotal where it will be scanned by several anti-virus programmes.
    NOTE: if you receive a message stating:
    • File already submitted, click Reanalyze.
  • After a while, a window will open, with details of what the scans found.
  • Copy and paste the results into your next reply.



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.


In your next reply:
  1. VirusTotal results.
  2. MBAM log
  3. How are things running?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some Google redirects, computer runs slow...

Unread postby rickhavoc » November 6th, 2010, 5:52 pm

Here's the VirusTotal scan results:



Antivirus Version Last Update Result AhnLab-V32010.11.06.012010.11.06-
AntiVir7.10.13.1452010.11.05-
Antiy-AVL2.0.3.72010.11.06-
Authentium5.2.0.52010.11.05W32/Damaged_File.gen!Eldorado
Avast4.8.1351.02010.11.06-
Avast55.0.594.02010.11.06-
AVG9.0.0.8512010.11.06-
BitDefender7.22010.11.06-
CAT-QuickHeal11.002010.11.04-
ClamAV0.96.2.0-git2010.11.06-
Comodo66322010.11.06-
DrWeb5.0.2.033002010.11.06-
Emsisoft5.0.0.502010.11.06-
eSafe7.0.17.02010.11.04-
eTrust-Vet36.1.79582010.11.05-
F-Prot4.6.2.1172010.11.05W32/Damaged_File.gen!Eldorado
F-Secure9.0.16160.02010.11.06-
Fortinet4.2.249.02010.11.06-
Gdata212010.11.06-
IkarusT3.1.1.90.02010.11.06-
Jiangmin13.0.9002010.11.06-
K7AntiVirus9.67.29032010.11.03-
Kaspersky7.0.0.1252010.11.06-
McAfee5.400.0.11582010.11.06Corrupt-EP
McAfee-GW-Edition2010.1C2010.11.06Heuristic.BehavesLike.Win32.ModifiedUPX.C
Microsoft1.63012010.11.06-
NOD3255972010.11.06-
Norman6.06.102010.11.06-
nProtect2010-11-06.012010.11.06-
Panda10.0.2.72010.11.06-
PCTools7.0.3.52010.11.06-
Prevx3.02010.11.06-
Rising22.72.04.002010.11.06-
Sophos4.59.02010.11.06-
Sunbelt72352010.11.06-
SUPERAntiSpyware4.40.0.10062010.11.06-
Symantec20101.2.0.1612010.11.06WS.Reputation.1
TheHacker6.7.0.1.0762010.11.05W32/Behav-Heuristic-CorruptFile-EP
TrendMicro9.120.0.10042010.11.06-
TrendMicro-HouseCall9.120.0.10042010.11.06-
VBA323.12.14.12010.11.05-
ViRobot2010.10.4.40742010.11.06-
VirusBuster12.71.8.02010.11.06-
rickhavoc
Regular Member
 
Posts: 31
Joined: October 29th, 2010, 1:32 am

Re: Some Google redirects, computer runs slow...

Unread postby melboy » November 7th, 2010, 5:39 am

hi

Do you have the Malwarebytes log and a description of how things are running?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some Google redirects, computer runs slow...

Unread postby rickhavoc » November 7th, 2010, 12:13 pm

Very sorry for the delay. Here is the Malware Bytes Log. I scanned this morning. As of last night, computer still has some start-up/shut-down issues. Plus, was still experiencing pop-ups and sometimes redirects to bad websites. When Google searching, clicking on links would redirect somewhere else. I'll report a little later after using it a while on how its doing once again. However, computer is running much faster than before and lasts a lot longer until it finally starts to slow to a crawl after about an hour or two.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5066

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/7/2010 7:00:09 AM
mbam-log-2010-11-07 (07-00-09).txt

Scan type: Quick scan
Objects scanned: 137434
Time elapsed: 22 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\TMP5.tmp (Trojan.Agent) -> Delete on reboot.
rickhavoc
Regular Member
 
Posts: 31
Joined: October 29th, 2010, 1:32 am

Re: Some Google redirects, computer runs slow...

Unread postby melboy » November 7th, 2010, 5:22 pm

Hi


Click Start > Run. Copy and paste the contents of the codebox below into the run box (Do Not include Code:), then click OK :
Code: Select all
C:\QooBox\ComboFix-quarantined-files.txt

A log will open, Post the contents in your next reply.



TFC

You should still have this on your desktop. If not, download it from here

  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable your anti-virus software.




In your next reply:
  1. Contents of ComboFix-quarantined-files.txt
  2. ESET log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some Google redirects, computer runs slow...

Unread postby rickhavoc » November 8th, 2010, 2:29 pm

I am having some problems with the shutting down of my SpywareDoctor w/Antivirus, and message says it might harm my computer if Combofix runs at the same time. I followed the directions at "BleepingComputer" in regards to shutting down my antivirus and firewall. However, the antivirus portion of my spyware won't shut down for some reason. The first time I ran Combofix, I had to delete Spyware Doctor entirely from my system, then re-install the whole thing after I finished (for Combofix to run properly). I'd probably get rid of SD permanently, but I have about a year left with them. I did find a previous Qoobox Quarantine list from 5-11-2010, and it is posted below. When I run TFC, it does not give me an option to save a log, nor am I able to find a log in the (C:) area or anywhere else. Am I looking in the right area for it? I am about to do the ESET online scan you requested, and will post it shortly. Also, my computer tends to freeze up sooner now. Maybe from shutting down my firewall and Spyware Doctor and other stuff coming in?

2010-11-05 21:58:26 . 2010-11-05 21:58:26 256 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-CTFMON.reg.dat
2010-11-05 21:57:41 . 2010-11-05 21:57:42 156 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SunJavaUpdateSched.reg.dat
2010-11-05 21:57:37 . 2010-11-05 21:57:38 103 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-eRecoveryService.reg.dat
2010-11-05 21:02:01 . 2010-11-05 21:53:30 6,424 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-11-05 20:43:00 . 2010-11-05 21:47:23 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-10-11 13:12:46 . 2010-10-12 06:56:05 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At48.job.vir
2010-10-11 13:12:42 . 2010-10-29 06:02:02 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At47.job.vir
2010-10-11 13:12:39 . 2010-11-03 13:01:28 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At46.job.vir
2010-10-11 13:12:36 . 2010-11-05 13:19:59 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At45.job.vir
2010-10-11 13:12:33 . 2010-11-05 03:22:38 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At44.job.vir
2010-10-11 13:12:30 . 2010-11-05 03:22:38 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At43.job.vir
2010-10-11 13:12:25 . 2010-11-01 01:21:20 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At42.job.vir
2010-10-11 13:12:21 . 2010-11-04 03:08:11 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At41.job.vir
2010-10-11 13:12:18 . 2010-10-31 23:31:55 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At40.job.vir
2010-10-11 13:12:14 . 2010-10-31 14:18:21 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At39.job.vir
2010-10-11 13:12:11 . 2010-11-02 23:18:28 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At38.job.vir
2010-10-11 13:12:08 . 2010-11-05 19:59:08 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At37.job.vir
2010-10-11 13:12:05 . 2010-11-05 19:15:43 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At36.job.vir
2010-10-11 13:12:01 . 2010-11-05 18:41:41 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At35.job.vir
2010-10-11 13:11:58 . 2010-11-01 23:31:34 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At34.job.vir
2010-10-11 13:11:55 . 2010-10-30 18:43:54 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At33.job.vir
2010-10-11 13:11:52 . 2010-10-31 22:27:13 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At32.job.vir
2010-10-11 13:11:49 . 2010-11-04 18:41:38 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At31.job.vir
2010-10-11 13:11:46 . 2010-11-02 13:04:57 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At30.job.vir
2010-10-11 13:11:44 . 2010-10-11 13:11:44 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At29.job.vir
2010-10-11 13:11:41 . 2010-10-11 13:11:42 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At28.job.vir
2010-10-11 13:11:39 . 2010-10-11 13:11:39 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At27.job.vir
2010-10-11 13:11:37 . 2010-10-11 13:11:37 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At26.job.vir
2010-10-11 13:11:34 . 2010-10-11 13:11:35 406 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At25.job.vir
rickhavoc
Regular Member
 
Posts: 31
Joined: October 29th, 2010, 1:32 am

Re: Some Google redirects, computer runs slow...

Unread postby melboy » November 8th, 2010, 3:04 pm

rickhavoc wrote: I am having some problems with the shutting down of my SpywareDoctor
Thanks for letting me know. I'll look into it.

rickhavoc wrote:When I run TFC, it does not give me an option to save a log, nor am I able to find a log in the (C:) area or anywhere else. Am I looking in the right area for it?
It doesn't produce a log. It just clears out all the unnecessary temporary files before running a scan.

Post the ESET log when ready.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some Google redirects, computer runs slow...

Unread postby rickhavoc » November 9th, 2010, 3:45 pm

Ok, here is what results I got from the ESET scan. I ran it 3 times, but had to quit it twice because it took so long. I finally just let it run and went to sleep. This is all I found when I woke up.

C:\Program Files\Java\jre6\lib\rt.jar a variant of Java/Exploit.CVE-2010-0094.E trojan
rickhavoc
Regular Member
 
Posts: 31
Joined: October 29th, 2010, 1:32 am

Re: Some Google redirects, computer runs slow...

Unread postby melboy » November 9th, 2010, 4:15 pm

Hi

  1. Delete your current copy of TDSSKiller from your desktop and download a fresh copy from here

  2. Delete your current copy of DDS from your desktop and download a fresh copy from here

  3. Then follow the instructions below in order.




TDSSKiller

  • Double click TDSSKiller.exe

    • Under "Objects to scan" ensure "Services and drivers" & "Boot Sectors" are checked.

  • Click Start scan and allow it to scan for Malicious objects.
  • If Malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt.
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents in your next reply

--------------------------------------

After any reboot by TDSSKiller:


Re-run DDS

Please disable any anti-malware program that will block scripts from running before running DDS.

Please see this topic . Scroll down to "PCTools"

  • Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, Please copy & paste the contents of :
    • DDS.txt
And post it in your next reply.


In your next reply:
  1. DDS.txt
  2. TDSSKiller log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some Google redirects, computer runs slow...

Unread postby rickhavoc » November 10th, 2010, 5:45 pm

Hi Melboy,
Sorry for the delay. My E-Machines computer (the one you were helping me with) finally took the big dump. When I turn it on, it keeps re-booting itself to a black screen that gives me a chance to reboot in Safe Mode, Safe Mode with Networking, Etc., Last Good Configuration, or Boot Up Normally. However, when I choose any of them, all it does is shut off and re-boot back to the same screen. It also gives me the option to do DEL which brings up the "enter set-up" screen and gives me several choises, none of which I am familiar with or look like they will help me. Or, I can also get to a boot device screen after pushing F12. It gives me two choices with a bunch of numbers on each. I've pushed both with no luck. Looks I may end up having to just re-install, right? I'm writing this on an old Dell computer I have which still works.
rickhavoc
Regular Member
 
Posts: 31
Joined: October 29th, 2010, 1:32 am

Re: Some Google redirects, computer runs slow...

Unread postby melboy » November 10th, 2010, 7:04 pm

Hi

Oh dear, that's not good news.

Did you mange to run the last set of instructions or did it stop booting prior to that?

Do you have back-ups of your data and the resources to re-install the OS?

Do you see an option to enter the Recovery Console?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some Google redirects, computer runs slow...

Unread postby rickhavoc » November 11th, 2010, 12:39 am

Sorry...no, I was not able to run the last set of instructions/scans. I was in the process of beginning to early this morning. I called E-Machines and they are sending me a new disc/discs for recovery/OS. It should get here in a few days. The only thing I made sure I backed up on discs were my own personal files I didn't want to lose. I did that after you said it would be a good idea to. I am able to see what looks like options to recover, but when I choose them, the computer just continuously re-boots back to the same screen of choices, but never does it. It just goes round and round again, re-booting over and over.
rickhavoc
Regular Member
 
Posts: 31
Joined: October 29th, 2010, 1:32 am

Re: Some Google redirects, computer runs slow...

Unread postby melboy » November 11th, 2010, 6:10 pm

Hi

I think under the circumstances the best thing would be to re-install the OS. It's two weeks since you started the topic and as you've gone to the trouble of ordering the disks and you have back-ups of the data you wished to keep, it's probably a good idea to start afresh. Troubleshooting the boot problems could be a lengthy and complicated procedure with no guarantees we can resolve it.


Some advice for when you reinstall the OS:

Link: How to Reformat & Reinstall your Operating System


After formatting the HDD and reinstalling the OS, Install an antivirus, straight away before connecting to the internet. Have the installer file for your chosen AV handy on a form of removable media (Flash Drive/CD etc) if at all possible.

Once you have installed an AV and when you connect to the internet, check for updates for your AntiVirus straight away and then make getting Windows updates a priority.

================================


Below is some general advice/suggestions for programs to install. You may have your own preference for an Antivirus/firewall. (Your PCTools license should still be good should you wish to reinstall that.)

Antivirus
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories.
Suggestions:
  • Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
  • avast! Home Edition - Anti-virus program for Windows. The home edition is freeware for non-commercial users.
  • Microsoft Security Essentials - Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
[Please note that trial pay is not needed to get any product for free.]
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts, system instability and false virus alerts.

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    Internet Explorer 8 <<< Recommended Version
    For older versions please read and follow the recommendations at this site
    Internet Explorer7
    Internet Explorer6


Recommended Programs

I would recommend the download and installation of some or all of the following programs, and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    Suggestions:
    [Please note that trial pay is not needed to get any product for free.]




Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware