Search links redirected & IE won't open...

As of today, I have encountered the same problems as the other topics relating to Google search link hijacking issues;
however, in addition to that problem (whenever I click on a link from a search engine I am taken to other sites, so I
have to manually type in address, and things are fine then), Internet Explorer won't open at all...not that I use it,
but it's weird, no error box or anything, just tries to open but doesn't. No other issues, and computer is running fast.
Nothing of interrest picked up on HIjack This or with Malwarebites, and don't see the files that combofix found
on the other gentleman's computer...

p.s. the site redirecting that happens in Firefox only affects Google & Yahoo searches it seems---I went to the very
old school Lycos, and I can click on those links just fine without any redirecting...

Last edited by soporific714 on 7th January 2010, 6:27 am; edited 1 time in total (Reason for editing : forgot soemthing)

Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options.

• Now click on the Connections tab and then the Lan Settings button
  
• Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the Apply button and then the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
  

==

Please download Cheetah-Anti-Rogue, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

Also, let me know if Internet Explorer works again.

Thanks for the quick response!! Re: the Internet Explorer issue...I can't even get the browser to open, the egg timer shows up for a
couple seconds next to the arrow, and that's it...even tried opening IE through the task manager, no go...like I said before though, I don't
really care since I never use IE, but I realize that it's a sign of some problem...

the Cheetah deal found something though, here's the log:
_______________________________________________________________
Cheetah Anti-Rogue v1.0.22
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Thu 01/07/2010 8:00:59.59


-- Known infection --

c:\windows\system32\Process.exe (Trj.Unknown_Backdoor)


If objects found, full virus scan or anti-malware scan necessary


EOF
_____________________________________________________________________


Also, just in case I am missing something, here are my last Hijack This and Malwarebites logs:

Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/6/2010 9:19:10 PM
mbam-log-2010-01-06 (21-19-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192890
Time elapsed: 1 hour(s), 15 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of HijackThis v1.99.1
Scan saved at 08:00:12, on 1/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Bill Schoen\Desktop\Tunes\Misc\Programs\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Bill Schoen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O20 - AppInit_DLLs: C:\WINDOWS\system32\P_FH.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe



Let me know if what I should do about "-- Known infection --

c:\windows\system32\Process.exe (Trj.Unknown_Backdoor) "


---JG


p.s. last night i downloaded Google Chrome, just to see if the same problems would happen there...wouldn't even run...like IE...
what a random virus...

Not sure, but that detection might be a false positive. I am going to pull that file for testing. Have you ever used SmitfraudFix?

We are going to check for rootkits, since this beast has to be hiding. For some reason, the HijackThis logs are really short, and Internet Explorer is not working.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Here's the GMER scan log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-09 07:28:04
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\BILLSC~1\LOCALS~1\Temp\pxtdqpod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Also, suddenly now I have an error message that pops up for virtually everything I open, even is on the screen before I log in:

"The application or DLL C:/WINDOWS/system32/0020.DLL is not a valid Windows image. Please check this against your installation diskette"

soemtimes just already running processes will make it pop up...


That process.exe file the Cheetah scan turned up has the following in the properties: "Copyright 2003 Craig.Peacock@beyondlogic.org"


p.s. one last thing that's weird now too...the time/date in the bottom right corner has gone Europeon on me all of a sudden,
showing 13:30 for 1:30 p.m.... wtf?!

Last edited by soporific714 on 9th January 2010, 5:14 pm; edited 1 time in total (Reason for editing : forgot something)

OKAY.... just done 2 restarts & scans and seem to be all clean and clear...no redirected links anymore, and IE is working fine...no more error messages...
I went ahead and used HostsXpert to reset the host on my comp, and since then everything has been fine...

Also, re: Hijack This logfile being so small...it's because I cleaned things up obsessively about
4 years ago when I got a virus last...

Finally, re: Process.exe...yes, I had used SmitFraud in the past, and that was the culprit, so I deleted that file.
I also deleted that 0020.DLL file from the system32 folder

SO, no clue what/where/who/how exactly it was screwing with things, but resetting the host seemed to work like magic, and there
are loads of other people experiencing this same problem (with the redirected links anyways), so spread the word to try what I've done.
Still, a bit anti-climatic not knowing what the hell that was all about....weak virus though, I spose I should be happy to have it
fixed with no major headaches

Let me know if you have any other questions/concerns.... for all the help!

---JG


p.s. what other security platforms do you recommend having, other than HijackThis and Malwarebites?

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Here's the what I've got:

CCleaner, which I use after almost every internet usage
Malwarebites, the free version
HijackThis, which I only use if there are problems

I don't run any live security other than the basic Windows stuff...I realize that's lazy
of me, but also know that many of the paying platforms (i.e. Norton) are shite...
If I was going to actually pay for live protection, what is my best bang for the buck
in your opinion? To be honest, I know I should have better protection due to the
fact that I'm on an unregistered XP platform.

If you are going to pay, use Avira Antivir Premium. It is a low cost, powerful suite.

If you want very good protection from all dangers, get Kaspersky Internet Security. It is an expensive, highly powerful security suite.

Otherwise, I got some free versions included below in this article:

http://www.geekpolice.net/computer-security-f27/preventing-malware-and-being-resistant-to-the-dangers-of-the-internet-t16961.htm

Cool, I went ahead and got Avira, did a full scan and found yet another, albeit reƖative harmless, Trojan that was stashed away in the friggin System Volume Control files!! Computer is running fast and better than ever! Just one last little thing, and I'm kind of embarrassed to ask, but I can't seem to figure out how I can reset the clock to show regular American time instead of the universal crap (right now showing 14:29 instead of 2:29, annoying). When I open it up, it shows the normal looking time under that clock face, and the time zone is correct... ??? It's the only lingering fallout from this infection

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

For the time:

Click Start > Control Panel.

Switch to 'classic' view on Control Panel and open up Regional and Language options. Click Customize.

Then, under Time, change time format from HHss to 'hss tt'. Click OK, then again. Glance down at your notification bar, and you'll see the twelve hour time

BAD NEWS!

Whatever it was is back, with a vengeance...have only been able to get my computer booted in safemode until this
morning, when I lucked out....IE is completely GONE, as is Malwarebites...when I went to reinstall MB (ala mbam.exe),
it won't even open it...won't run GMER...won't run Avira at all either, won;t even open it...system restore won't work either

I'm afraid to even restart it now that things are, at least running...I've backed up all my important documents & software,
files, music, pics, etc... Any suggestions? The usual stuff again, now that I'm online: major search engine links are redirected,
excepting for Lycos (?!), but otherwise computer seems to be running fine...how the hell could MBites & IE just have disappeared???
I mean, there are NO files in the IE folder, nȯne...?????

You can do this on any computer in your network.

Please go to this webpage: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

This is a Conficker test. Please let me know if you see all the images at the table at the top of the page. If you do not, please tell me which ones are missing. (I.E. Top Row Second Column, or Bottom Row First Column, etc.).

All the images are there:

F Secure, Secure works, Trend Micro
Puffer fish, Penguin, Little Devil guy

...so I guess that's good news...

See if you can get this to download and run, or transfer it from another computer to the infected one:

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

...as posted above, GMER won't work at all, just like Avira & Malwarebites...it shows the egg-timer for a second, then is gone and nothing
happens...tried opening it through the task manager as well, no go... Your CheetahRogue thing works, but turns up nothing,
and CCleaner still functions, as does HiJackThis... Also, when I went to try and download Combofix again to run it, my computer refuses
to connect with bleepingcomputer.com Also getting loads of error messages...now it won't let me open the task manager, saying it
has been disabled by the administrator.... WTF?!

??!?!

p.s. here's the latest HijackThis scan...there are a couple new items on there from the system32 folder...doesnt look good:

Logfile of HijackThis v1.99.1
Scan saved at 7:42:42 AM, on 1/18/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss32.exe
C:\Documents and Settings\Bill Schoen\Desktop\Tunes\Incomplete\windows-kb890830-v3.3.exe
c:\5737accfdc336fe6f6a8da5d3fd5c581\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Documents and Settings\Bill Schoen\Desktop\Tunes\Misc\Programs\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

...particularly the F2, and O4 issue with smss32.exe that wasn't there before... ???

I fixed the task manager problem...whatever this thing is had reset the registry values for the task manager to
1 instead of 0...

feel fairly confident that it's the FakeAlert trojan: when I did searches on those new editions to the HijackThis
log, I had a bunch of hits on spss32.exe and winlogon32.exe....should I just removed them, or will they
replicate when i reboot...?

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

as before, after downloading Malwarebites and double-clicking on the mbam.exe icon, nothing happens....
Gmer won't run
Kaspersky won't run

Only things functional are CCleaner, HijackThis, and the Windows Malicious Removal thingie...

The weird thing is that, apart from Google and other major search engines not working, and the scanners not opening,
the computer is running fast. I can use Firefox just fine as long as I am not doing searches...although, Lycos
search page is unaffected...suppose that's a sign of them being all but obsolete...

Anyways, at this point I almost figure its something deep and nasty like Vundo...

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

neither of those websites will even open on my Browser...in fact, GeekPolice and a handful of other smaller forums are the only computer-aid pages that will load... Is there a way to get combofix from another source?

Please go to this webpage: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

This is a Conficker test. Please let me know if you see all the images at the table at the top of the page. If you do not, please tell me which ones are missing. (I.E. Top Row Second Column, or Bottom Row First Column, etc.).

they are all there...

Ok.

Try this:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

...so, as I was unable to get either bleepingcomputer or geekstogo to open on this, went
to work and downloaded ComboFix there, brought it home, run it....HA HA , think we got the little f&*@er!!!

here's the log:

ComboFix 10-01-19.03 - Bill Schoen 01/19/2010 17:15:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.772 [GMT -7:00]
Running from: D:\Combo-Fix.exe
AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bill Schoen\Start Menu\Internet Security 2010.lnk
C:\LOG.TXT
C:\s
c:\windows\system32\drivers\H8SRTwswuyurgba.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\H8SRTfypqxylkli.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTqpxeolevxf.dat
c:\windows\system32\H8SRTrijraftdct.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTtatmslptqb.dll
c:\windows\system32\H8SRTuwfiwnxvbf.dll
c:\windows\system32\tmp.reg
c:\windows\system32\warning.html
c:\windows\system32\WORK.DAT
c:\windows\system32\wupd.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-18 21:55 . 2010-01-18 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-01-18 17:50 . 2010-01-20 00:14 -------- d-----w- c:\program files\Alwil Software
2010-01-18 15:32 . 2010-01-18 15:32 2 --shatr- c:\windows\winstart.bat
2010-01-18 14:48 . 2010-01-18 14:48 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-01-17 14:20 . 2010-01-17 14:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-17 14:20 . 2010-01-17 14:20 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-10 18:55 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-07 06:04 . 2010-01-07 06:05 -------- d-----w- c:\documents and settings\Bill Schoen\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 23:21 . 2006-11-09 21:09 -------- d-----w- c:\program files\mIRC
2010-01-11 15:28 . 2006-10-06 22:10 -------- d-----w- c:\program files\AltoMP3 Gold
2009-12-13 16:10 . 2009-12-13 15:16 -------- d-----w- c:\program files\Yahoo!
2009-12-13 15:19 . 2009-12-13 15:19 -------- d-----w- c:\documents and settings\Bill Schoen\Application Data\Yahoo!
2009-11-28 02:53 . 2007-05-30 17:09 -------- d-----w- c:\program files\eMusic Download Manager
2009-11-28 02:48 . 2007-11-10 13:36 -------- d-----w- c:\program files\eMusic Remote
2009-11-21 16:36 . 2004-08-04 07:56 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 05:48 . 2004-08-04 07:56 662016 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

R0 vburner;vburner;c:\windows\system32\drivers\vburner.sys [8/7/2008 10:06 AM 15872]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/1/2008 7:23 AM 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/1/2008 7:23 AM 107272]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [9/25/2008 7:02 AM 3768]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 20:21]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Bill Schoen\Application Data\Mozilla\Firefox\Profiles\aq6lfsbn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 17:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-19 17:33:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-20 00:33

Pre-Run: 36,130,811,904 bytes free
Post-Run: 36,102,500,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E31BF0C2B361038CE0BBA26DDF12E84E



I've done a couple of reboots since, and things seem to be working well:

no hijacked search links
no blocked webpages
no errors
AV software is able to open again and running fine


what next boss?

One file to delete. This should be all the infection.

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   File::
   c:\windows\winstart.bat
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

==

We Need to Diagnose a Possible Problem with WGA

1. Please download MGADiag and save it to your desktop.
   
2. Double click the icon on your desktop.
   
3. Push
   
4. Push
   
5. Go to Start -> Run and type in "Notepad"
   
6. Go to Edit -> Paste in notepad.
   
7. x out all of the numbers and letters in the line beginning with "Windows Product Key:"
   
8. Copy and paste that log here along with the ComboFix log.

When I did file drag into Combofix, it loaded and displayed the following message in the blue box:

" 'NIRCMDC' is not recognized as an internal or external command, operable program or batch file "

And that's all that happened...


p.s. re: the WGA issue...I removed it from my computer, as I have a borrowed copy of XP
running here

ComboFix has been updated, per the developer as of 1pm today. Please delete your copy and download a new one.

Then, please try the script again.

WORD! Here's the ComboFix Log:

ComboFix 10-01-21.08 - Bill Schoen 01/22/2010 15:38:20.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.637 [GMT -7:00]
Running from: c:\documents and settings\Bill Schoen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bill Schoen\Desktop\CFScript.txt
AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\winstart.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\dvfr.sys
c:\windows\winstart.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ygwm


((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-20 00:51 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-20 00:51 . 2010-01-20 00:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 00:51 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 21:55 . 2010-01-18 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-01-18 17:50 . 2010-01-20 00:14 -------- d-----w- c:\program files\Alwil Software
2010-01-18 14:48 . 2010-01-18 14:48 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-01-17 14:20 . 2010-01-17 14:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-17 14:20 . 2010-01-17 14:20 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-10 18:55 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-07 06:04 . 2010-01-20 00:57 -------- d-----w- c:\documents and settings\Bill Schoen\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 01:31 . 2006-11-09 21:09 -------- d-----w- c:\program files\mIRC
2010-01-11 15:28 . 2006-10-06 22:10 -------- d-----w- c:\program files\AltoMP3 Gold
2009-12-13 16:10 . 2009-12-13 15:16 -------- d-----w- c:\program files\Yahoo!
2009-12-13 15:19 . 2009-12-13 15:19 -------- d-----w- c:\documents and settings\Bill Schoen\Application Data\Yahoo!
2009-11-28 02:53 . 2007-05-30 17:09 -------- d-----w- c:\program files\eMusic Download Manager
2009-11-28 02:48 . 2007-11-10 13:36 -------- d-----w- c:\program files\eMusic Remote
2009-11-21 16:36 . 2004-08-04 07:56 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 05:48 . 2004-08-04 07:56 662016 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

R0 vburner;vburner;c:\windows\system32\drivers\vburner.sys [8/7/2008 10:06 AM 15872]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/1/2008 7:23 AM 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/1/2008 7:23 AM 107272]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [9/25/2008 7:02 AM 3768]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 20:21]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Bill Schoen\Application Data\Mozilla\Firefox\Profiles\aq6lfsbn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 15:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2010-01-22 15:52:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 22:52
ComboFix2.txt 2010-01-20 00:33

Pre-Run: 35,507,470,336 bytes free
Post-Run: 35,483,181,056 bytes free

- - End Of File - - DB78B9A7FF2752D8D3AE329321134BEC



anything left to do? Is it cool to remove Combofix and the Qoobox folder it created in the C: drive?

btw,

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

==

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

what does the Security Check program do?

Checks to see what security programs are running on your computer.

cool, ran it and here's the log:


Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Antivirus out of date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
Out of date HijackThis installed!
HijackThis 1.99.1
CCleaner (remove only)
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.6
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


what next boss?

Please upgrade to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: http://www.GeekPolice.net/operating-systems-f20/windows-xp-service-pack-3-information-t16956.htm

==

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

• Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  
• AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Thank you for all your assistance through this bud! Got a couple questions for ya:

1) what exactly does an extra firewall do?

2) IE never did re-appear...which I couldn't care less about, since I only use Firefox, but CCleaner keeps
hitting a bunch of registry spam every reboot that's IE related...computer seems to be running fine.

---JG

1) what exactly does an extra firewall do?

A third party firewall will block incoming and outgoing traffic. Windows XP firewall only blocks incoming traffic. So, a better firewall is a good idea.

2) IE never did re-appear...which I couldn't care less about, since I only use Firefox, but CCleaner keeps
hitting a bunch of registry spam every reboot that's IE related...computer seems to be running fine.

I would recommend to try to reinstall Internet Explorer. The Registry entries are going to continually appear because Internet Explorer keeps giving off an error.

If this issue continues with Internet Explorer, start a new topic in our tech forums and we will assist you in that issue.

Word!