1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Malware Problem, Google Toolbar Redirect, Etc.

Discussion in 'Malware and Virus Removal Archive' started by sheltone, 2010/06/05.

  1. 2010/06/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Regarding those error messages, it's hard to say, what happened.
    You'll have to see, if Norton is working properly.
    If not, you'll have to reinstall it.

    How is redirection issue right now?


    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.
     
  2. 2010/06/06
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    The redirection issue "seems" fine but it was hit and miss, didn't redirect every single time so we'll see over the next couple days.

    I ran GMER and it seemed like there would be no Windows crash this time THEN everything froze on my computer. I tried opening Task Manager to shut down the program and it wouldn't open. I tried to open the start menu to reboot but that was frozen too. I couldn't even click the mouse. I finally had to shut down the computer's power to reboot it. Unless you tell me otherwise, I will try running GMER again tomorrow as I'm signing off for tonight. Thanks for all your help thus far.
     

  3. to hide this advert.

  4. 2010/06/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem.
    Tomorrow, try this:
     
  5. 2010/06/07
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    I won't be able to run GMER again until after dinner today. Got some work to catch up on first. Is there any problem with me running any utilities or programs like Disk Cleanup, Malwarebytes, Norton system scans before we're done with everything? I usually run a couple of these on Mondays.
     
  6. 2010/06/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'd prefer, you hold on with those other scans for now.
     
  7. 2010/06/07
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Okay, I tried to run GMER a second time and Windows crashed again.

    I then tried a third time, after un-checking "Devices" in right pane. After scanning for a minute or so, GMER and my entire computer system froze up like it did last night when I tried running it. I had to reboot the system.

    As for doing it in safe mode, I'd be glad to try BUT how can I saw GMER to my desktop so its accessible? I tried but can't seem to manage it. The file's in a download box at the moment. Sorry I'm not especially computer savvy.
     
  8. 2010/06/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Skip GMER for now.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ===============================================================

    Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
     
  9. 2010/06/07
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Okay, I uninstalled Combofix. I already have the latest free version of Malwarebytes' Anti-Malware installed. Been using it for close to a year. Will run the scan you requested and post the log.
     
  10. 2010/06/07
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Okay, I uninstalled Combofix. I already have the latest free version of Malwarebytes' Anti-Malware installed. Been using it for close to a year. I ran the quick scan you requested and here's the log. No malicious items were detected!


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4177

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/7/2010 11:17:08 PM
    mbam-log-2010-06-07 (23-17-08).txt

    Scan type: Quick scan
    Objects scanned: 129171
    Time elapsed: 8 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  11. 2010/06/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  12. 2010/06/07
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Okay, I ran Temp File Cleaner (TFC). All went well.

    I then went to the Kapersky website, read through the requirements and privacy statement and clicked on Accept button. Before it started downloading, a message popped up saying the following:

    The application's digital signature is in error. Do you want to run the application?

    How should I proceed, run the program or not?
     
  13. 2010/06/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Skip Kaspersky.

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    Post fresh HJT log as well.
     
  14. 2010/06/08
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Okay, I started running ESET last night and at !2:30 pm EST was 30 minutes in and 10% completed so I left the computer on and went to bed. I didn't get back to it until noon today and it had finished, took 3-1/2 hours. It found one threat and cleaned it, I saved the file and have pasted it below.

    ESET gives me the option to check a couple boxes before closing: One is to uninstall application on close, the second is to delete quarantined files. Should I check these boxes before closing down ESET???

    One more question, you asked me to "Post fresh HJT log as well" but I don't know what that is. Let me know and I'll do it.

    Here's the ESET report on the List of found threats. Its really short!

    D:\Program Files\Support.com\backup\in\Inbox\1327443_53f7ba45e_ Win32/Myparty.A worm deleted - quarantined
     
  15. 2010/06/08
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    One quick question on another problem. Normally when I click on a link sent in an email, it uses my Firefox browser to open it, but for the past 2 days, the links open in Internet Explorer. I can only assume something I've done in the past 2 days, one of these programs we've been running perhaps, has caused this to happen. How can I fix it so the links send in emails only open in Firefox?
     
  16. 2010/06/08
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Ignore the email / link question, I figured it out myself. :)

    No idea why Firefox stopped being my default browser on its own though...........
     
  17. 2010/06/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You may want to check both.

    Sorry for HijackThis thingy :)

    Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
  18. 2010/06/08
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Working on a couple of projects. I won't be able to get to run Hijack This for an hour or so. Thanks!
     
  19. 2010/06/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem :)
     
  20. 2010/06/08
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Am installing Hijack This and will run it. Should I uninstall it when its finished and I have the log?
     
  21. 2010/06/08
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Boy, that ran fast, its already done. Should I be doing anything with the results it generated? I haven't a clue if they're all good or something is wrong on there.

    Here's the report.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:12:39 PM, on 6/8/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\TWAIN_32\L12U16U2\SrvMod.exe
    C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    N3 - Netscape 7: # Mozilla User Preferences

    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */

    user_pref( "aim.session.firsttime ", false);
    user_pref( "browser.activation.checkedNNFlag ", true);
    user_pref( "browser.bookmarks.added_static_root ", true);
    user_pref( "browser.cache.check_doc_frequency ", 2);
    user_pref( "browser.cache.disk.parent_directory ", "C:\\DOCUMENTS AND SETTINGS\\LARRY\\APPLICATION DATA\\Mozilla\\Profiles\\default\\mqbn3599.slt ");
    user_pref( "browser.display.screen_resolution ", 96);
    user_pref( "browser.download.dir ", "C:\\Documents and Settings\\Larry\\My Documents\\Scans_eBay1 ");
    user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
    user_pref( "browser.startup.
    N3 - Netscape 7: # Mozilla User Preferences

    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */

    user_pref( "aim.session.firsttime ", false);
    user_pref( "browser.activation.checkedNNFlag ", true);
    user_pref( "browser.bookmarks.added_static_root ", true);
    user_pref( "browser.cache.check_doc_frequency ", 2);
    user_pref( "browser.cache.disk.parent_directory ", "C:\\DOCUMENTS AND SETTINGS\\LARRY\\APPLICATION DATA\\Mozilla\\Profiles\\default\\mqbn3599.slt ");
    user_pref( "browser.display.screen_resolution ", 96);
    user_pref( "browser.download.dir ", "C:\\Documents and Settings\\Larry\\My Documents\\Scans_eBay1 ");
    user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
    user_pref( "browser.startup.
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\IPSBHO.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coIEPlg.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500 "
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
    O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\RealDownload.exe
    O4 - Global Startup: SrvMod.lnk = C:\WINDOWS\TWAIN_32\L12U16U2\SrvMod.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 8608 bytes
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.