Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

internetcorckboard infection [Solved]


  • This topic is locked This topic is locked

#31
jimsharpe10

jimsharpe10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Junkware Removal Tool (JRT) by Thisisu
Version: 1.2.3 (10.03.2012)
OS: Microsoft Windows XP x86
Ran by Blake Sharpe on Wed 10/03/2012 at 15:53:18.57
Blog: http://thisisudax.blogspot.com
**************************************************************




*** Services: 0 Detections



*** Registry Values: 0 Detections



*** Registry Keys:

Successfully deleted: [KEY] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}



*** Files:

Successfully deleted: [FILE] C:\eula.1028.txt
Successfully deleted: [FILE] C:\eula.1031.txt
Successfully deleted: [FILE] C:\eula.1033.txt
Successfully deleted: [FILE] C:\eula.1036.txt
Successfully deleted: [FILE] C:\eula.1040.txt
Successfully deleted: [FILE] C:\eula.1041.txt
Successfully deleted: [FILE] C:\eula.1042.txt
Successfully deleted: [FILE] C:\eula.2052.txt
Successfully deleted: [FILE] C:\install.res.1028.dll
Successfully deleted: [FILE] C:\install.res.1031.dll
Successfully deleted: [FILE] C:\install.res.1033.dll
Successfully deleted: [FILE] C:\install.res.1036.dll
Successfully deleted: [FILE] C:\install.res.1040.dll
Successfully deleted: [FILE] C:\install.res.1041.dll
Successfully deleted: [FILE] C:\install.res.1042.dll
Successfully deleted: [FILE] C:\install.res.2052.dll
Successfully deleted: [FILE] C:\install.res.3082.dll



*** Folders: 0 Detections



*** FireFox detected and repaired



*** Event Viewer Logs - NOT cleared





**************************************************************
Scan was completed on Wed 10/03/2012 at 15:54:00.43
End of Report


Junkware Removal Tool (JRT) by Thisisu
Version: 1.2.3 (10.03.2012)
OS: Microsoft Windows XP x86
Ran by Blake Sharpe on Wed 10/03/2012 at 15:53:18.57
Blog: http://thisisudax.blogspot.com
**************************************************************




*** Services: 0 Detections



*** Registry Values: 0 Detections



*** Registry Keys:

Successfully deleted: [KEY] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}



*** Files:

Successfully deleted: [FILE] C:\eula.1028.txt
Successfully deleted: [FILE] C:\eula.1031.txt
Successfully deleted: [FILE] C:\eula.1033.txt
Successfully deleted: [FILE] C:\eula.1036.txt
Successfully deleted: [FILE] C:\eula.1040.txt
Successfully deleted: [FILE] C:\eula.1041.txt
Successfully deleted: [FILE] C:\eula.1042.txt
Successfully deleted: [FILE] C:\eula.2052.txt
Successfully deleted: [FILE] C:\install.res.1028.dll
Successfully deleted: [FILE] C:\install.res.1031.dll
Successfully deleted: [FILE] C:\install.res.1033.dll
Successfully deleted: [FILE] C:\install.res.1036.dll
Successfully deleted: [FILE] C:\install.res.1040.dll
Successfully deleted: [FILE] C:\install.res.1041.dll
Successfully deleted: [FILE] C:\install.res.1042.dll
Successfully deleted: [FILE] C:\install.res.2052.dll
Successfully deleted: [FILE] C:\install.res.3082.dll



*** Folders: 0 Detections



*** FireFox detected and repaired



*** Event Viewer Logs - NOT cleared





**************************************************************
Scan was completed on Wed 10/03/2012 at 15:54:00.43
End of Report
  • 0

Advertisements


#32
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
Hi jimsharpe10,

Any change or is the persistent devil still with us?
  • 0

#33
jimsharpe10

jimsharpe10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
still there
  • 0

#34
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
Couple of things here.

Found the link below, check it out and see if that helps.

http://answers.micro...3e-abfee7f406cd

Also do this:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Firefox::
FF - ProfilePath - c:\documents and settings\Blake Sharpe\Application Data\Mozilla\Firefox\Profiles\szgmg5b5.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: network.proxy.type - 0


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.
  • 0

#35
jimsharpe10

jimsharpe10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
ComboFix 12-10-04.02 - Blake Sharpe 10/04/2012 22:56:15.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1006 [GMT -4:00]
Running from: c:\documents and settings\Blake Sharpe\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Blake Sharpe\My Documents\Downloads\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-05 to 2012-10-05 )))))))))))))))))))))))))))))))
.
.
2012-10-03 19:28 . 2012-10-03 19:54 -------- d-----w- C:\JRT
2012-10-02 02:35 . 2012-10-02 02:35 -------- d-----w- c:\program files\ESET
2012-10-01 02:15 . 2012-10-01 02:15 -------- d-----w- C:\_OTL
2012-09-28 05:24 . 2012-09-28 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2012-09-28 05:00 . 2012-09-28 05:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2012-09-28 04:56 . 2012-09-28 04:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2012-09-28 04:52 . 2012-09-28 04:52 -------- d-----w- c:\documents and settings\Blake Sharpe\Application Data\SUPERAntiSpyware.com
2012-09-28 04:52 . 2012-09-28 05:07 -------- d-----w- c:\program files\Google
2012-09-28 04:51 . 2012-09-28 04:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-09-28 04:51 . 2012-09-28 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-09-28 04:46 . 2012-09-28 04:46 -------- d-----w- c:\documents and settings\Blake Sharpe\Application Data\Malwarebytes
2012-09-28 04:46 . 2012-09-28 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-09-28 04:46 . 2012-09-28 04:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-28 04:46 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-27 19:12 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-08-27 19:12 . 2008-04-14 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-08-27 19:12 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-08-27 19:12 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2012-08-24 19:43 . 2011-04-05 04:59 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-07-26 07:21 . 2011-01-07 10:41 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-09-07 22:43 . 2012-09-07 22:43 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-09-21 4780928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\WUAUCLT.EXE"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5834:TCP"= 5834:TCP:Remote Assistance Local
"4735:TCP"= 4735:TCP:Remote Assistance Remote
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 4:03 PM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 237408]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 301920]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 2:54 PM 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/28/2012 12:46 AM 399432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/11/2011 11:22 AM 47360]
S0 cerc6;cerc6; [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [8/13/2012 3:24 AM 5167736]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/28/2012 12:46 AM 676936]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/28/2012 12:46 AM 22856]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/27/2012 11:27 AM 114144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 16:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-10-03 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 42a0e01e-e2c5-401f-a649-1d764f7d0d64.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-10-03 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 7c831580-ca80-4eb7-a882-bcc764922939.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Blake Sharpe\Application Data\Mozilla\Firefox\Profiles\szgmg5b5.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-04 23:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-10-04 23:02:50
ComboFix-quarantined-files.txt 2012-10-05 03:02
ComboFix2.txt 2012-10-01 23:23
.
Pre-Run: 596,467,712 bytes free
Post-Run: 583,589,888 bytes free
.
- - End Of File - - 6CC93D3681F31BF4D72D43631EEA2B3F
  • 0

#36
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
Hello again jimsharpe10,

This is becoming a bit of mission for you.

I take it that we still have the beggar. :rolleyes:

Our options are narrowing down. Before we move on to more exotic areas please tell me exactly what is still happening.

Are you getting directed all the time, or just sometimes? Is it when you are using Firefox, or is it also happening with IE?

Any other things that you think are relevant.

Regards

emeraldnzl
  • 0

#37
jimsharpe10

jimsharpe10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
i actually have been looking around for people with the same problem and i am starting to think it might just be extratorrent site itself cause that it the site i use to recreate the redirect and it is byfar the worst for where it occurs. if it is sorry if i wasted your time but i do appreciate your help.
  • 0

#38
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
Hello again jimsharpe10,

i am starting to think it might just be extratorrent site itself cause that it the site i use to recreate the redirect


Yes that is supported by the experience the person quotes in the link below:

http://forums.whirlp...archive/1829634

I am not finding problems on your machine. We could spend hours looking at various keys in your machines registry to try and nail something down. It would be like looking for a needle in a haystack and actually, like you, I don't think it is your computer doing it.

You might try this:

-----------------------------------------------

NoSript by Giorgio Maone is another one to add to your protection.

No scripts is an excellant security device. I like it but it is not for everyone because it requires you to take action if you want to see some things (pop ups, banners etc.) on sites you visit.

Further, sometimes you will get a site telling you that you need to install Java when actually all you need to do is enable the site through the no script icon down on the right hand side of your computer.

----------------------------------------------

Otherwise we will stop here and I will give the clean up instructions.

We have a couple of last steps to perform and then you're all set.Posted Image

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.
  • Go to Start > Programs > Accessories and click on Run
  • Copy and paste the the bolded text below in the box then hit OK

    Combofix /Uninstall

    Posted Image
Step 2
  • Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.

  • Download Java for Windows

    Reboot your computer.
    You also need to unininstall older versions of Java.
  • Click Start > Control Panel > Add or Remove Programs
  • Remove all Java updates except the latest one you have just installed.
---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Chrome may be downloaded from here . One of the most used nowadays.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

Adblock Plus is a good Add-on for Firefox that helps prevent those annoying pop ups.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future:

  • If you do not already have automatic updates set then it is recommended that you do set Windows to check, download and install your updates automatically.

    * Click Start > Control Panel > System and Security > Windows Update
    * Under Windows Update click on Turn automatic updating on or off
    * Check items shown to ensure you receive updates automatically. Click OK.

    And to keep your system clean consider choosing from these free for home use malware scanners and updating and running weekly.
  • Malwarebytes
  • SuperAntiSpyWare
Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

A fun way to check your online safety literacy.

Quiz - getsafeonline

Have a safe and happy computing day!
  • 0

#39
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,989 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP