WiredWX Hobby Weather ToolsLog in

 


descriptionWordslife redirect virus EmptyWordslife redirect virus

more_horiz
My mum's laptop just got infected with the "Wordslife.com" or redirect virus. It's a Satellite L305-S5945 running Windows Vista and using Norton Security System. Norton is apparently detecting the "attacks" and considers them blocked (and says that no further action is needed). My folks are pretty miffed and would like the issue resolved! ;)

descriptionWordslife redirect virus EmptyRe: Wordslife redirect virus

more_horiz
Hi crcosper and Welcome to GeekPolice!

Lets do a X-ray to see what we are dealing with. Before we do any fixes

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    • DDS.scr
    • DDS.pif

  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.
    Wordslife redirect virus DDS

  • Instead of attaching, please copy/past both logs into your Thread

  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

descriptionWordslife redirect virus EmptyRe: Wordslife redirect virus

more_horiz
Sorry about the late reply. It turns out three of my folks computers are infected. Oh, well -- let's start with this one...

DDS (Ver_10-03-17.01) - NTFSx86
Run by Cosper Family at 21:45:15.30 on Sat 10/02/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2039.1272 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\Cosper Family_2\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cosper Family_2\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cosper Family_2\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Users\Cosper Family_2\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\Cosper Family\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Cosper Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cosper Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Cosper Family\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
uRun: [Google Update] "c:\users\cosper family\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-26 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-26 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-9-26 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-26 40384]
R2 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-9-26 39264]
R2 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-8-9 1472352]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-26 40384]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\drivers\netr61.sys [2006-12-29 274432]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-26 1343400]

=============== Created Last 30 ================

2010-09-29 09:04:49 524288 --sha-w- c:\users\cosper family\NTUSER.DAT{3ea499e4-cb62-11df-9298-001921d24151}.TMContainer00000000000000000002.regtrans-ms
2010-09-29 09:04:48 65536 --sha-w- c:\users\cosper family\NTUSER.DAT{3ea499e4-cb62-11df-9298-001921d24151}.TM.blf
2010-09-29 09:04:48 524288 --sha-w- c:\users\cosper family\NTUSER.DAT{3ea499e4-cb62-11df-9298-001921d24151}.TMContainer00000000000000000001.regtrans-ms
2010-09-29 09:00:46 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-29 00:46:02 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 02:19:29 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-28 02:19:29 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-28 02:19:08 0 d-----w- c:\program files\iPod
2010-09-28 02:19:07 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-28 02:19:07 0 d-----w- c:\program files\iTunes
2010-09-28 02:18:10 0 d-----w- c:\programdata\Apple Computer
2010-09-28 02:17:36 0 d-----w- c:\program files\Bonjour
2010-09-28 02:17:30 0 d-----w- c:\programdata\Apple
2010-09-27 02:06:52 39264 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-09-27 01:52:19 0 d-----w- c:\program files\common files\Windows Live
2010-09-27 01:45:55 632 --sha-r- c:\users\cosper family\ntuser.pol
2010-09-27 01:27:16 0 d-----w- c:\windows\system32\Wat
2010-09-27 01:23:57 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-09-27 01:19:44 1002008 ----a-w- c:\windows\system32\igxpun.exe
2010-09-27 01:19:44 0 d-----w- c:\windows\system32\x64
2010-09-27 01:18:19 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-27 01:13:08 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-09-27 01:13:08 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-09-27 01:13:08 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-09-27 01:13:08 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-09-27 01:13:08 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-09-27 01:10:26 292864 ----a-w- c:\windows\system32\apphelp.dll
2010-09-27 01:06:11 0 d-----w- c:\users\cosper~1\appdata\roaming\Malwarebytes
2010-09-27 01:06:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-27 01:06:02 0 d-----w- c:\programdata\Malwarebytes
2010-09-27 01:06:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-27 01:06:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-27 00:58:00 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-27 00:57:38 38848 ----a-w- c:\windows\avastSS.scr
2010-09-27 00:57:35 0 d-----w- c:\programdata\Alwil Software
2010-09-27 00:47:15 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-09-27 00:46:54 132608 ----a-w- c:\windows\system32\cabview.dll
2010-09-27 00:39:58 0 d-----w- c:\programdata\Ralink Driver
2010-09-26 22:56:09 0 d-----w- C:\Linksys Driver
2010-09-26 07:01:10 0 d-----w- c:\windows\Panther
2010-09-26 07:00:58 8192 --sha-r- C:\BOOTSECT.BAK
2010-09-26 07:00:57 383562 --sha-r- C:\bootmgr
2010-09-26 07:00:56 0 d-sh--w- C:\Boot
2010-09-26 06:03:25 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-09-26 05:23:44 0 d-----w- c:\windows\PCHEALTH
2010-09-26 05:21:34 0 d-----w- c:\program files\Microsoft Analysis Services
2010-09-26 05:21:17 0 d-----w- c:\programdata\Microsoft Help
2010-09-26 05:21:12 0 d-sh--w- c:\windows\Installer
2010-09-26 05:13:44 726316 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-09-26 05:13:00 0 d-----w- c:\windows\system32\wbem\Performance
2010-09-08 17:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 17:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-30 03:39:20 209280 ----a-w- c:\windows\system32\LIVESSP.DLL
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-28 00:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 00:44:10 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-28 00:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-28 00:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:45:45.95 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/25/2010 11:11:24 PM
System Uptime: 10/2/2010 4:57:51 PM (5 hours ago)

Motherboard: ECS | | Livermore
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 142 GiB total, 96.129 GiB free.
D: is FIXED (NTFS) - 7 GiB total, 7.015 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description: Photosmart C4700 series
Device ID: USB\VID_03F0&PID_7511&MI_02\6&23BFBEE8&0&0002
Manufacturer:
Name: Photosmart C4700 series
PNP Device ID: USB\VID_03F0&PID_7511&MI_02\6&23BFBEE8&0&0002
Service:

Class GUID:
Description: Photosmart C4700 series
Device ID: USB\VID_03F0&PID_7511&MI_00\6&23BFBEE8&0&0000
Manufacturer:
Name: Photosmart C4700 series
PNP Device ID: USB\VID_03F0&PID_7511&MI_00\6&23BFBEE8&0&0000
Service:

==== System Restore Points ===================

RP1: 9/25/2010 11:20:54 PM - Installed Microsoft Office Professional 2010
RP3: 9/26/2010 6:39:48 PM - Installed Ralink Wireless LAN
RP4: 9/26/2010 6:43:58 PM - Device Driver Package Install: Linksys, A Division of Cisco Systems, Inc. Network adapters
RP5: 9/26/2010 6:57:23 PM - avast! Free Antivirus Setup
RP6: 9/26/2010 7:12:18 PM - Windows Update
RP7: 9/26/2010 7:37:09 PM - Windows Update
RP9: 9/26/2010 8:04:27 PM - Windows Live Essentials
RP10: 9/26/2010 8:05:34 PM - WLSetup
RP11: 9/27/2010 7:08:59 PM - Windows Update
RP12: 9/27/2010 8:18:31 PM - Installed iTunes
RP13: 9/28/2010 6:45:59 PM - Windows Update
RP14: 9/29/2010 3:00:20 AM - Windows Update
RP15: 10/1/2010 8:55:53 AM - Windows Update
RP16: 10/1/2010 8:52:15 PM - Windows Update
RP17: 10/1/2010 8:53:58 PM - Windows Update

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Bonjour
D3DX10
Definition update for Microsoft Office 2010 (KB982726)
Google Chrome
Intel(R) Graphics Media Accelerator Driver
iTunes
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSVCRT
QuickTime
Ralink RT6x Wireless LAN Card
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft OneNote 2010 (KB2288640)
Update for Microsoft Outlook Social Connector (KB2289116)
Windows Live Communications Platform
Windows Live Essentials Beta
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack

==== Event Viewer Messages From Past Week ========

9/30/2010 8:14:43 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
9/29/2010 8:05:54 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
9/27/2010 8:57:37 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.
9/27/2010 8:55:52 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
9/26/2010 7:24:01 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 (KB978601).
9/26/2010 7:15:42 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Update for Internet Explorer 8 Compatibility View List for Windows 7 (KB982664).
9/26/2010 7:15:41 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 (KB979309).
10/1/2010 8:26:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.

==== End Of File ===========================

descriptionWordslife redirect virus EmptyRe: Wordslife redirect virus

more_horiz

  1. Download ComboFix from below:

    Combofix download


    * IMPORTANT !!! Place combofix.exe on your Desktop

  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  3. Double click on combofix.exe & follow the prompts.

  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Wordslife redirect virus CfRC_screen_1


    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.

    Wordslife redirect virus CfRC_screen_2

    Click on Yes, to continue scanning for malware.

  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

descriptionWordslife redirect virus EmptyRe: Wordslife redirect virus

more_horiz
Everything seemed to work fine, but when I got on the Internet to post this reply, the redirect virus struck again...

ComboFix 10-10-05.01 - Cosper Family 10/05/2010 15:10:01.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2039.1274 [GMT -6:00]
Running from: c:\users\Cosper Family\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Cosper Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\{78D47C9C-C957-4BAD-BB81-180D2801833A}.xps
c:\users\Cosper Family\AppData\Local\Temp\10041140-00000ab4-mm1n73rkf5\tmp710B.tmp
c:\users\Cosper Family_2\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2576CE40-E156-46A4-9535-DEFB580E8C95}.xps
c:\users\Cosper Family_2\AppData\Local\Microsoft\Windows\Temporary Internet Files\{73B62F34-04A8-4A71-A1D0-CC0F58622F04}.xps

----- BITS: Possible infected sites -----

hxxp://wlxindex
.
((((((((((((((((((((((((( Files Created from 2010-09-05 to 2010-10-05 )))))))))))))))))))))))))))))))
.

2010-10-05 21:16 . 2010-10-05 21:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-03 03:43 . 2010-10-03 03:43 -------- d-----w- c:\users\Cosper Family\AppData\Roaming\Apple Computer
2010-09-29 09:00 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-29 00:46 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 04:53 . 2009-07-14 01:15 319488 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfppw73.dll
2010-09-28 02:17 . 2010-09-28 02:17 -------- d-----w- c:\programdata\Apple
2010-09-28 01:45 . 2010-09-28 01:45 -------- d-----w- c:\users\Cosper Family_2\AppData\Roaming\Malwarebytes
2010-09-28 01:40 . 2010-09-28 01:41 -------- d-----w- c:\users\Cosper Family_2\AppData\Local\Google
2010-09-28 01:40 . 2010-09-28 01:40 108824 ----a-w- c:\users\Cosper Family_2\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-28 01:40 . 2010-09-28 01:40 -------- d-----w- c:\users\Cosper Family_2\AppData\Local\Deployment
2010-09-28 01:40 . 2010-09-28 01:40 -------- d-----w- c:\users\Cosper Family_2\AppData\Local\Apps
2010-09-27 02:06 . 2010-08-09 11:26 39264 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-09-27 02:04 . 2010-09-27 02:12 -------- d-----w- c:\users\Cosper Family\AppData\Local\Windows Live
2010-09-27 01:54 . 2010-09-28 02:19 -------- dc----w- c:\windows\system32\DRVSTORE
2010-09-27 01:54 . 2010-09-27 02:06 -------- d-----w- c:\program files\Windows Live
2010-09-27 01:52 . 2010-09-27 01:52 -------- d-----w- c:\program files\Common Files\Windows Live
2010-09-27 01:39 . 2010-09-27 01:39 -------- d-----w- c:\windows\system32\Macromed
2010-09-27 01:27 . 2010-09-27 01:27 -------- d-----w- c:\windows\system32\Wat
2010-09-27 01:23 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-09-27 01:19 . 2010-09-27 01:19 -------- d-----w- c:\windows\system32\x64
2010-09-27 01:19 . 2009-09-24 01:30 1002008 ----a-w- c:\windows\system32\igxpun.exe
2010-09-27 01:18 . 2010-05-21 20:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-27 01:13 . 2009-11-25 18:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-09-27 01:13 . 2009-11-25 18:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-09-27 01:13 . 2009-11-25 18:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-09-27 01:13 . 2009-11-25 18:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-09-27 01:13 . 2009-11-25 18:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-09-27 01:10 . 2009-12-08 11:32 292864 ----a-w- c:\windows\system32\apphelp.dll
2010-09-27 01:06 . 2010-09-27 01:06 -------- d-----w- c:\users\Cosper Family\AppData\Roaming\Malwarebytes
2010-09-27 01:06 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-27 01:06 . 2010-09-27 01:06 -------- d-----w- c:\programdata\Malwarebytes
2010-09-27 01:06 . 2010-09-27 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-27 01:06 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-27 00:58 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-27 00:58 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-27 00:58 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-27 00:58 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-27 00:58 . 2010-09-07 14:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-27 00:57 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-27 00:57 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-27 00:57 . 2010-09-27 00:57 -------- d-----w- c:\programdata\Alwil Software
2010-09-27 00:57 . 2010-09-27 00:57 -------- d-----w- c:\program files\Alwil Software
2010-09-27 00:52 . 2010-09-27 00:53 -------- d-----w- c:\users\Cosper Family\AppData\Local\Google
2010-09-27 00:52 . 2010-09-27 00:52 -------- d-----w- c:\users\Cosper Family\AppData\Local\Apps
2010-09-27 00:52 . 2010-09-27 00:52 -------- d-----w- c:\users\Cosper Family\AppData\Local\Deployment
2010-09-27 00:47 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-09-27 00:46 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-09-27 00:39 . 2010-09-27 00:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-27 00:39 . 2010-09-27 00:39 -------- d-----w- c:\programdata\Ralink Driver
2010-09-27 00:39 . 2009-07-14 00:47 323648 ----a-w- c:\programdata\Ralink Driver\RT6x Wireless LAN Card\Driver\difxapi.dll
2010-09-27 00:39 . 2009-06-02 23:35 368128 ----a-w- c:\programdata\Ralink Driver\RT6x Wireless LAN Card\Driver\netr61.sys
2010-09-27 00:39 . 2009-06-02 23:31 221184 ----a-w- c:\programdata\Ralink Driver\RT6x Wireless LAN Card\Driver\RaCoInst.dll
2010-09-27 00:39 . 2008-08-06 22:31 528384 ----a-w- c:\programdata\Ralink Driver\RT6x Wireless LAN Card\Driver\RaInst.exe
2010-09-27 00:39 . 2007-05-17 17:17 192512 ----a-w- c:\programdata\Ralink Driver\RT6x Wireless LAN Card\Driver\CoInstaller.dll
2010-09-27 00:38 . 2010-09-27 00:38 -------- d-----w- c:\users\Cosper Family\AppData\Roaming\InstallShield
2010-09-26 23:32 . 2010-09-26 23:32 -------- d-----w- c:\users\Cosper Family\AppData\Local\ElevatedDiagnostics
2010-09-26 22:56 . 2010-09-26 22:56 -------- d-----w- C:\Linksys Driver
2010-09-26 20:33 . 2010-09-26 20:33 108824 ----a-w- c:\users\Cosper Family\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-26 07:01 . 2010-09-26 05:11 -------- d-----w- c:\windows\Panther
2010-09-26 07:00 . 2010-09-26 07:00 -------- d-----w- C:\Boot
2010-09-26 05:23 . 2010-09-27 01:13 -------- d-----w- c:\program files\Microsoft.NET
2010-09-26 05:23 . 2010-09-26 05:23 -------- d-----w- c:\windows\PCHEALTH
2010-09-26 05:21 . 2010-09-26 05:21 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-09-26 05:21 . 2010-09-26 05:21 -------- d-----w- c:\users\Cosper Family\AppData\Local\Microsoft Help
2010-09-26 05:21 . 2010-09-27 01:23 -------- d-----w- c:\programdata\Microsoft Help
2010-09-26 05:21 . 2010-09-28 02:19 -------- d-sh--w- c:\windows\Installer
2010-09-26 05:21 . 2010-09-26 05:21 -------- d-----r- C:\MSOCache
2010-09-26 05:13 . 2010-10-04 17:43 -------- d-----w- c:\windows\system32\wbem\Performance
2010-09-26 05:12 . 2010-09-26 05:48 -------- d-----w- c:\users\Cosper Family\AppData\Local\Diagnostics
2010-09-24 08:51 . 2010-09-24 08:51 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 02:48 . 2010-09-28 02:19 -------- d-----w- c:\users\Cosper Family_2\AppData\Roaming\Apple Computer
2010-09-28 02:19 . 2010-09-28 02:19 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-28 02:19 . 2010-09-28 02:19 -------- d-----w- c:\program files\iTunes
2010-09-28 02:19 . 2010-09-28 02:19 -------- d-----w- c:\program files\iPod
2010-09-28 02:19 . 2010-09-28 02:18 -------- d-----w- c:\programdata\Apple Computer
2010-09-28 02:19 . 2010-09-28 02:17 -------- d-----w- c:\program files\Common Files\Apple
2010-09-28 02:18 . 2010-09-28 02:18 -------- d-----w- c:\program files\QuickTime
2010-09-28 02:17 . 2010-09-28 02:17 -------- d-----w- c:\program files\Apple Software Update
2010-09-28 02:17 . 2010-09-28 02:17 -------- d-----w- c:\program files\Bonjour
2010-09-27 01:27 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-09-26 06:03 . 2010-09-26 06:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-08-21 05:32 . 2010-09-27 01:11 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-30 03:39 . 2010-07-30 03:39 209280 ----a-w- c:\windows\system32\LIVESSP.DLL
2010-07-29 06:30 . 2010-09-27 01:11 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-09-27 01:11 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-28 00:44 . 2010-07-28 00:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 00:44 . 2010-07-28 00:44 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-28 00:44 . 2010-07-28 00:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-28 00:44 . 2010-07-28 00:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Cosper Family\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-09-27 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2010-08-09 885088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-27 1343400]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\netr61.sys [2006-12-29 274432]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

.
Contents of the 'Scheduled Tasks' folder

2010-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3422097760-1814656482-2743559948-1000Core.job
- c:\users\Cosper Family\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-27 00:52]

2010-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3422097760-1814656482-2743559948-1000UA.job
- c:\users\Cosper Family\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-27 00:52]

2010-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3422097760-1814656482-2743559948-1001Core.job
- c:\users\Cosper Family_2\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-28 01:40]

2010-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3422097760-1814656482-2743559948-1001UA.job
- c:\users\Cosper Family_2\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-28 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Windows Live\Family Safety\fsssvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-10-05 15:22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-05 21:22

Pre-Run: 103,489,396,736 bytes free
Post-Run: 103,385,485,312 bytes free

- - End Of File - - 733334CEB24999AC619787F4B6E7D598

descriptionWordslife redirect virus EmptyRe: Wordslife redirect virus

more_horiz
Update Run Malwarebytes



  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

descriptionWordslife redirect virus EmptyRe: Wordslife redirect virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum