1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive [InActive] Help redirections everywhere not just Google Links

Discussion in 'Malware and Virus Removal Archive' started by riverseo, 2009/04/29.

  1. 2009/04/29
    riverseo

    riverseo Inactive Thread Starter

    Joined:
    2008/09/01
    Messages:
    9
    Likes Received:
    0
    It was a bit of a fight just to post here as everytime I clicked new thread it would redirect to another site, same when it goes for downloading some things. Happens like the Google redirect spyware that you see so many people having trouble with here, whatever is happening on my laptop does that as well. I've tried using Malwarebytes, Spybot and AVG to get rid of the **** thing, they find it but it keeps coming back. Here's my MBAM log:

    Malwarebytes' Anti-Malware 1.36
    Database version: 2056
    Windows 5.1.2600 Service Pack 2

    29/04/2009 13:57:45
    mbam-log-2009-04-29 (13-57-30).txt

    Scan type: Quick Scan
    Objects scanned: 69753
    Time elapsed: 3 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 10

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> No action taken.
    C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> No action taken.

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> No action taken.
    C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> No action taken.
    C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Dropper) -> No action taken.
    C:\WINDOWS\system32\config\SystemProfile\protect.dll (Worm.Autorun) -> No action taken.
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> No action taken.
    C:\Documents and Settings\Joseph\protect.dll (Worm.Autorun) -> No action taken.
    C:\Documents and Settings\Joseph\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> No action taken.
    C:\Documents and Settings\Joseph\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\Joseph\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
    C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.

    I can post the hijackthis one as well.
     
    riverseo,
    #1
  2. 2009/04/29
    riverseo

    riverseo Inactive Thread Starter

    Joined:
    2008/09/01
    Messages:
    9
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:05:49, on 29/04/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Winamp\winampa.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Documents and Settings\Joseph\Desktop\HiJackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    \?\globalroot\C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
    O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe "
    O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Joseph\protect.dll,_IWMPEvents@16
    O4 - Startup: ChkDisk.dll
    O4 - Startup: ChkDisk.lnk = ?
    O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    --
    End of file - 4759 bytes
     
    riverseo,
    #2


  3. to hide this advert.

  4. 2009/05/08
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Hi and welcome.

    If you can't get the machine to the below sites needed can you transfer from a clean machine via USB/Flash drive?



    Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

    O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
    O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Joseph\protect.dll,_IWMPEvents@16
    O4 - Startup: ChkDisk.dll
    O4 - Startup: ChkDisk.lnk = ?




    NEXT**
    Please download OTMoveIt3 by OldTimer and save it to your desktop
    • Double-click OTMoveIt3.exe to run it.
    • Copy the lines in the codebox below. ( Make sure you include :processes )
    Code:
    :Processes
explorer.exe
:Files
C:\DOCUME~1\Joseph\protect.dll
C:\WINDOWS\system32\autochk.dll
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "autochk "=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "autochk "=-
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
    • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • - Close ALL open windows (especially Internet Explorer!)-
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.




    NEXT**

    Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3

    [​IMG]


    [​IMG]
    --------------------------------------------------------------------
    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    (Click on this link to see a list of programs that should be disabled.)
    http://www.bleepingcomputer.com/forums/topic114351.html

    Please leave the flash drive plugged in while completing the following.

    Double click on Combo-Fix.exe & follow the prompts.

    Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

    No Validation is Required.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



    ** Please Note:
    At times ComboFix may appear to stall, please be patient.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

    Please only run the tool once, ty.

    Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
    Don't select to run the Recovery Console as we don't need it.
    By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

    You may need several replies to post the requested logs, otherwise they might get cut off.


    In your next reply please post:
    OTMoveIt log
    ComboFix.txt
    new HJT log
     
    Last edited: 2009/05/08
    Juliet,
    #3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...