Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Browser Hijack & Redirect....Please Help [Solved]

Started by sowsworld , Jan 18 2010 08:05 PM

This topic is locked

#16
sowsworld

Posted 19 January 2010 - 06:09 PM

Member

Topic Starter
Member
24 posts

Ok....
Removed AVG
Updated Adobe
Updated Java (I had the latest version)

deleted combofix and re-downloaded it.
latest combofix log file below....

ComboFix 10-01-19.03 - Owner 01/19/2010 18:57:53.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1596 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\18467.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-19 23:51 . 2010-01-19 23:51 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-19 23:49 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-19 23:48 . 2010-01-19 23:48 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-19 23:48 . 2010-01-19 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-19 00:18 . 2010-01-19 00:18 -------- d-----w- c:\documents and settings\Owner\log
2010-01-19 00:18 . 2010-01-19 00:18 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-01-18 22:13 . 2010-01-18 22:13 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-18 19:08 . 2010-01-18 22:33 -------- d-----w- C:\$AVG
2010-01-18 19:07 . 2010-01-18 19:07 -------- d-----w- c:\program files\AVG
2010-01-18 17:23 . 2010-01-18 17:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-18 17:22 . 2010-01-18 17:22 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-18 17:22 . 2010-01-18 17:22 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-18 05:03 . 2010-01-18 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-18 03:51 . 2010-01-19 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-18 03:28 . 2010-01-18 03:28 -------- d-----w- c:\program files\TrendMicro
2010-01-16 17:31 . 2010-01-16 17:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-12 23:56 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 00:17 . 2010-01-18 17:40 -------- d-----w- C:\CC Cleaner
2010-01-10 00:13 . 2010-01-10 00:13 -------- d-----w- c:\program files\CCleaner
2009-12-26 01:31 . 2009-12-26 01:31 51912 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-25 02:53 . 2009-12-25 02:54 -------- d-----w- c:\program files\QuickTime
2009-12-25 02:45 . 2009-12-25 02:45 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 23:50 . 2005-02-06 01:40 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-19 23:49 . 2009-08-10 22:57 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-19 03:39 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-19 00:18 . 2009-03-11 04:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 21:12 . 2009-08-12 18:21 -------- d-----w- c:\documents and settings\Owner\Application Data\TuneUpMedia
2010-01-18 17:23 . 2004-11-15 22:07 -------- d-----w- c:\program files\Java
2010-01-18 04:22 . 2009-04-01 02:25 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-13 05:13 . 2006-03-13 23:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-01-13 05:11 . 2009-08-12 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2010-01-07 21:07 . 2009-03-11 04:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-03-11 04:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-25 02:59 . 2009-08-03 14:31 -------- d-----w- c:\program files\iTunes
2009-12-25 02:58 . 2006-03-13 23:44 -------- d-----w- c:\program files\iPod
2009-12-25 02:58 . 2009-07-11 14:34 -------- d-----w- c:\program files\Common Files\Apple
2009-12-08 02:42 . 2009-07-29 02:48 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:51 . 2004-11-15 20:29 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2009-08-10 22:57 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-29 07:45 . 2004-11-15 20:30 916480 ------w- c:\windows\system32\wininet.dll
2005-09-10 13:50 . 2005-07-16 13:43 61920 ----a-w- c:\program files\MC
2005-02-27 17:38 . 2005-02-27 17:38 2342432 ----a-w- c:\program files\LimeWireWin.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-18_16.58.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-19 23:33 . 2010-01-19 23:33 16384 c:\windows\temp\Perflib_Perfdata_6d0.dat
- 2004-11-15 21:45 . 2010-01-18 16:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-11-15 21:45 . 2010-01-19 03:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-16 17:31 . 2010-01-19 03:28 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-01-16 17:31 . 2010-01-18 16:43 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2004-11-15 21:45 . 2010-01-19 03:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-11-15 21:45 . 2010-01-18 16:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-19 23:49 . 2010-01-19 23:49 27648 c:\windows\Installer\f3890.msi
+ 2010-01-18 17:23 . 2010-01-18 17:23 149280 c:\windows\system32\javaws.exe
+ 2010-01-18 17:23 . 2010-01-18 17:23 145184 c:\windows\system32\javaw.exe
+ 2010-01-18 17:23 . 2010-01-18 17:23 145184 c:\windows\system32\java.exe
- 2004-11-15 21:45 . 2010-01-18 16:43 278528 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-11-15 21:45 . 2010-01-19 03:28 278528 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-18 17:23 . 2010-01-18 17:23 537600 c:\windows\Installer\786a6.msi
+ 2010-01-19 00:16 . 2010-01-19 00:18 2413136 c:\windows\system32\Restore\rstrlog.dat
+ 2010-01-19 23:51 . 2010-01-19 23:51 3940352 c:\windows\Installer\f39c5.msi
- 2005-05-11 02:54 . 2010-01-05 00:17 29634504 c:\windows\system32\MRT.exe
+ 2005-05-11 02:54 . 2010-01-04 21:17 29634504 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-12 339968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-18 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-10-13 20:00 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-10-21 21:44 2744832 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-09-10 05:10 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-08-12 21:45 61952 ----a-w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 06:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-10-08 15:31 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-10-21 18:20 77824 ----a-w- c:\windows\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 05:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\Partseal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"lanmanworkstation"=2 (0x2)
"WmiApSrv"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"LmHosts"=2 (0x2)
"wscsvc"=2 (0x2)
"SamSs"=2 (0x2)
"seclogon"=2 (0x2)
"RDSessMgr"=3 (0x3)
"xmlprov"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Netlogon"=3 (0x3)
"NtLmSsp"=3 (0x3)
"IDriverT"=3 (0x3)
"CiSvc"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2005-02-05 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-11-15 00:12]

2005-02-05 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-11-15 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: autotrader.com\www
Trusted Zone: go.com\sports.espn
Trusted Zone: intuit.com
Trusted Zone: tdameritrade.com
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Notify-avgrsstarter - avgrsstx.dll
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 19:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-01-19 19:07:03
ComboFix-quarantined-files.txt 2010-01-20 00:07

Pre-Run: 120,925,433,856 bytes free
Post-Run: 121,018,929,152 bytes free

- - End Of File - - 691C1B098C2CD5B2E9CFF0FFE3FE464C

#17
CatByte

Posted 19 January 2010 - 06:17 PM

GeekU Teacher

GeekU Moderator
2,705 posts

That's good,

we can clean up our tools now,

Please do the following:

Follow these steps to uninstall Combofix

Click START then RUN
Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT

Now to remove the rest of the tools that we have used in fixing your machine:

Make sure you have an Internet Connection.
Download OTC to your desktop and run it
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

If there are any remaining logs /tools left on your desk top > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them
Then consider a password keeper, to keep all your passwords safe.
Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
WOT has an addon available for both Firefox, IE and chrome.
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
Think Prevention.
PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Edited by CatByte, 19 January 2010 - 06:18 PM.

#18
sowsworld

Posted 19 January 2010 - 06:31 PM

Member

Topic Starter
Member
24 posts

CatByte,
I can't thank you enough for your help and prompt responses. I followed and downloaded all your suggestions above.
I currently have CCleaner and Advanced Sysrem Care....should I continue to use them?
Well off to my mom' house, she said she is getting similar problems to mine,...hopefully its not as bad and can be solved with malwarebytes.

Thanks agin for all your help....you can close the thread,

Thanks!!!!

#19
CatByte

Posted 19 January 2010 - 06:42 PM

GeekU Teacher

GeekU Moderator
2,705 posts

You are more than welcome, continue with CCleaner and Advanced system care.

Don't run any of the advanced scans on your mom's computer on your own, too many things can go wrong.

It's fine to run MalwareBytes.

I'll leave this thread open, if she has major issues, run a DDS and GMER scan on her computer and post them to this thread.

#20
sowsworld

Posted 19 January 2010 - 06:48 PM

Member

Topic Starter
Member
24 posts

ok cool,...going over there now....should know in 30 mins or so.
you rock!!!

#21
sowsworld

Posted 19 January 2010 - 07:28 PM

Member

Topic Starter
Member
24 posts

Hi Catbyte,
I am at my moms...and its bad, it would allow me to connect to the internet. It's blocking me with anti-virus live in the browser. please help. I am on my laptop with my wireless card.

#22
CatByte

Posted 19 January 2010 - 07:34 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

download the following tool onto your USB and transfer it over

run flash disinfector first on your laptop

Download Flash_Disinfector.exe from HERE and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

NEXT

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

see if that frees up the computer enough to run DDS and GMER

#23
sowsworld

Posted 19 January 2010 - 07:39 PM

Member

Topic Starter
Member
24 posts

i tried saving it to a flash and then transferring it over it blocks it. "application can't be executed. the flash defector is infected"

#24
CatByte

Posted 19 January 2010 - 08:17 PM

GeekU Teacher

GeekU Moderator
2,705 posts

do you still have access to the task manager? (ctrl +alt +del) if so end process on any of the following processes if they are there

smss32.exe
winlogon32.exe
winupdate86.exe
msa.exe
a.exe
b.exe
c.exe
notepad.exe
41.exe
logon.exe
critical_warning.html
lsm32.sys
opeia.exe
IS2010.exe
xxxsysguard.exe

#25
CatByte

Posted 19 January 2010 - 08:20 PM

GeekU Teacher

GeekU Moderator
2,705 posts

If your task manager is disabled, try this run command to enable it again

Open a run box (windows key + R) > copy/paste the following command into the run box > OK

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t Reg_dword /d 0 /f

This should enable your Task Manager.

Re-run this command as often as you need to if the malware disables it again.

#26
sowsworld

Posted 19 January 2010 - 08:25 PM

Member

Topic Starter
Member
24 posts

i can get into task manager,...but none of those are running. i was able to do malware in safe mode that found a few issues, that now helped, but it is not letting me access the internet. I am running malware in normal mode now, but still no internet access

#27
CatByte

Posted 19 January 2010 - 08:28 PM

GeekU Teacher

GeekU Moderator
2,705 posts

OK, MBAM should clean up enough to get back on the internet, or at least so you can use the USB

If so, run this next program, it will run from a USB

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

#28
sowsworld

Posted 19 January 2010 - 08:45 PM

Member

Topic Starter
Member
24 posts

It still wouldnt let me on the internet so i transferred it over on the thimb drive....here are the results that I transferred back over to post.

ComboFix 10-01-19.03 - Carol Arthur 01/19/2010 21:39:23.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.531 [GMT -5:00]
Running from: c:\documents and settings\Carol Arthur\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1314201555-3785290187-2462946864-1006

.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 02:34 . 2010-01-20 02:37 -------- d-----w- c:\windows\LastGood
2010-01-20 01:46 . 2010-01-20 01:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-20 01:32 . 2010-01-20 01:32 -------- d-----w- c:\documents and settings\Carol Arthur\Application Data\Malwarebytes
2010-01-20 01:32 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-20 01:32 . 2010-01-20 02:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 01:32 . 2010-01-20 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-20 01:32 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-20 01:18 . 2010-01-20 01:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-20 01:18 . 2010-01-20 01:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-18 23:22 . 2010-01-20 02:06 -------- d-----w- c:\documents and settings\Carol Arthur\Local Settings\Application Data\gdpatt
2010-01-17 00:31 . 2010-01-17 00:31 -------- d-----w- c:\documents and settings\Carol Arthur\Local Settings\Application Data\Yahoo!
2010-01-01 17:15 . 2010-01-01 17:15 -------- d-----w- c:\documents and settings\Carol Arthur\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 02:37 . 2008-11-18 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-01-20 02:37 . 2008-11-18 02:18 -------- d-----w- c:\program files\Trend Micro
2010-01-19 23:25 . 2009-02-22 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-17 14:38 . 2009-11-11 16:08 79488 ----a-w- c:\documents and settings\Carol Arthur\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-01 17:42 . 2008-08-22 22:12 -------- d-----w- c:\program files\Google
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"nwiz"="nwiz.exe" [2008-02-25 1626112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-07-10 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

S2 gupdate1c99539eeef22f6;Google Update Service (gupdate1c99539eeef22f6);c:\program files\Google\Update\GoogleUpdate.exe [2/22/2009 5:07 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - tmactmon
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - tmpreflt
*Deregistered* - tmxpflt
*Deregistered* - vsapint
.
Contents of the 'Scheduled Tasks' folder

2010-01-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-22 01:23]

2010-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-22 22:07]

2010-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-22 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-LaunchApp - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 21:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2008)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-01-19 21:43:14
ComboFix-quarantined-files.txt 2010-01-20 02:43

Pre-Run: 61,807,767,552 bytes free
Post-Run: 61,897,961,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E9ACE68FE4174F5BDBEE950D05E9FA97