WiredWX Hobby Weather ToolsLog in

 


Ok I need a lot of help!

3 posters

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
========== FILES ==========
C:\VDoctor.exe moved successfully.
c:\docume~1\alluse~1\applic~1\b5e6c62\System Data Configuration moved successfully.
c:\docume~1\alluse~1\applic~1\b5e6c62\BackUp moved successfully.
c:\docume~1\alluse~1\applic~1\b5e6c62 moved successfully.
LoadLibrary failed for c:\windows\system32\bfeaaac7_d.dll
c:\windows\system32\bfeaaac7_d.dll NOT unregistered.
c:\windows\system32\bfeaaac7_d.dll moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02222009_133641

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Hello.
Do you know what this folder is?
C:\System Data Configuration

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Umm... no...
And this file...:
C:\VDoctor.exe
IS THAT VIRUS DOCTOR? THE VIRUS I HAD IN THE FIRST PLACE?

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Maybe, that's why I listed it in OTMoveIt
Okay, since you don't know what that folder is, we'll remove it with OTMoveIt again.

  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    c:\docume~1\alluse~1\applic~1\System Data Configuration
    C:\System Data Configuration


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
========== FILES ==========
c:\docume~1\alluse~1\applic~1\System Data Configuration moved successfully.
C:\System Data Configuration moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02222009_135336

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Hello.
Search something in Google now, see if you still get re-directed or not.

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Ok... when I use Google.com I get redirected to ToseekA.com (another search engine... not porn.)

When I use the FireFox HomePage Google Search Box I get redirected to the bad sites.

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Hello.
Hmm, lets go deeper.


  • Download combofix from here
    Link 1
    Link 2
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it. See HERE for how to disable your AV. (Avira and Spyware Doctor)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Ok I need a lot of help! - Page 2 Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Ok I need a lot of help! - Page 2 Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
AVIRA ANTIVIR
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background Ok I need a lot of help! - Page 2 Antivir

* right click it-> untick the option AntiVir Guard enable.
* You should now see a closed, white umbrella on a red background Ok I need a lot of help! - Page 2 Antivir_disabled

You successfully disabled the AntiVir Guard.


I don't see this Ok I need a lot of help! - Page 2 Antivir on my toolbar. I have Avira but I don't know how to shut it off.

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Press Start > All Programs.
Find the "Avira" folder, and open the interface from there.

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Sorry it took so long. Something happened to my network.

ComboFix:
ComboFix 09-02-21.01 - Christy 2009-02-22 15:11:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.152 [GMT -6:00]
Running from: c:\documents and settings\Christy\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-22 13:36 . 2009-02-22 13:36 d-------- C:\_OTMoveIt
2009-02-16 12:51 . 2009-02-16 12:51 d-------- c:\documents and settings\Christy\Application Data\Malwarebytes
2009-02-16 12:50 . 2009-02-16 12:50 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-08 12:08 . 2009-02-08 12:08 d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-08 11:58 . 2009-02-08 11:58 d-------- c:\program files\Common Files\Macrovision Shared
2009-02-08 11:41 . 2009-02-08 11:41 129,784 --------- c:\windows\system32\pxafs.dll
2009-02-08 11:41 . 2009-02-08 11:41 118,520 --------- c:\windows\system32\pxinsi64.exe
2009-02-08 11:41 . 2009-02-08 11:41 116,472 --------- c:\windows\system32\pxcpyi64.exe
2009-02-08 11:41 . 2009-02-08 11:41 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2009-02-08 11:41 . 2009-02-08 11:41 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys
2009-02-07 11:38 . 2009-02-07 11:38 d-------- c:\windows\.file_store_32
2009-02-03 20:38 . 2007-12-04 17:10 16,640 -ra------ c:\windows\system32\drivers\PalmUSBD.sys
2009-02-03 20:35 . 2009-02-03 20:35 d-------- c:\documents and settings\Christy\Application Data\Arcsoft
2009-02-03 20:19 . 2009-02-03 20:19 d-------- c:\documents and settings\Christy\Application Data\HotSync
2009-02-03 20:19 . 2009-02-03 20:19 d-------- c:\documents and settings\All Users\Application Data\HotSync
2009-02-03 20:12 . 2009-02-03 20:33 d-------- c:\program files\Palm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 22:40 --------- d-----w c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2009-02-21 16:35 --------- d-----w c:\documents and settings\Christy\Application Data\Download Manager
2009-02-17 00:09 --------- d-----w c:\program files\No-IP
2009-02-08 17:59 --------- d-----w c:\program files\Common Files\Adobe
2009-02-08 17:41 43,528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-07 17:40 34 ----a-w c:\documents and settings\Christy\jagex_runescape_preferences.dat
2009-01-11 01:26 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-11 01:25 --------- d-----w c:\program files\Java
2008-12-24 21:04 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-12-23 23:40 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-25 17:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102520081026\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-22_14.42.00.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-22 21:02:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_544.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SDTray"="c:\program files\Spyware Doctor\SDTrayApp.exe" [2007-06-12 1053264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-01-03 1392640]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2008-04-03 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 163840]
R2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-08-16 708688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a27f6b10-7510-11dc-bbed-00c09f73e861}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
FF - ProfilePath - c:\documents and settings\Christy\Application Data\Mozilla\Firefox\Profiles\v1hq5pxy.default\
FF - prefs.js: browser.startup.homepage - hxxp://nonstopgamers.smfforfree.com
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 15:16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1472)
c:\program files\Funk Software\Funk Client\odLogin.dll
.
Completion time: 2009-02-22 15:19:24
ComboFix-quarantined-files.txt 2009-02-22 21:18:56
ComboFix2.txt 2009-02-22 20:44:04

Pre-Run: 18,894,684,160 bytes free
Post-Run: 18,882,805,760 bytes free

113 --- E O F --- 2009-01-11 01:37:41

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Hello.
No malware there.

I do have two things I want to ask about:
c:\program files\No-IP

I'm guessing this is some sort of proxy program? there has been known to be a few different users who experienced problems and the caused was a proxy program.

And this:
FF - prefs.js: browser.startup.homepage - hxxp://nonstopgamers.smfforfree.com

Did you set that as your homepage?

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
I did the homepage thing. And I was trying something with another site one time and downloaded the No-Ip thing. I thought I deleted it :/

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Well delete this folder:
c:\program files\No-IP

Whatever is causing the re-directions, it isn't malware.
Are you still being re-directed?

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
Yes I'm still being re-directed. But I guess instead of clicking the links, I'll have to copy and paste the URL.

Thank you for your time.

descriptionSolvedRe: Ok I need a lot of help!

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum