Page 7 of 7 FirstFirst ... 34567
Results 61 to 69 of 69

Thread: Malware redirects Google Search Results

  1. #61
    Member
    Join Date
    Apr 2012
    Posts
    46

    Default

    Adobe and Java were downloaded per instructions.

  2. #62
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    Good job getting all that done.

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      File::
      C:\Documents and Settings\Mike Hoover\Desktop\SmitfraudFix.exe	
      C:\Documents and Settings\Mike Hoover\Desktop\SmitfraudFix\Process.exe	
      C:\Documents and Settings\Mike Hoover\Desktop\SmitfraudFix\restart.exe	
      C:\Documents and Settings\Mike Hoover\Desktop\SmitfraudFix\SmitfraudFix.zip
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

    In your next reply post the new ComboFix log and let me know how your system is running.

  3. #63
    Member
    Join Date
    Apr 2012
    Posts
    46

    Default

    ComboFix 12-04-17.01 - Mike Hoover 04/20/2012 8:18.7.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.284 [GMT -4:00]
    Running from: c:\temp\ComboFix.exe
    Command switches used :: c:\documents and settings\Mike Hoover\Desktop\CFScript.txt
    FW: Sunbelt Personal Firewall *Enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
    .
    FILE ::
    "c:\documents and settings\Mike Hoover\Desktop\SmitfraudFix.exe"
    "c:\documents and settings\Mike Hoover\Desktop\SmitfraudFix\Process.exe"
    "c:\documents and settings\Mike Hoover\Desktop\SmitfraudFix\restart.exe"
    "c:\documents and settings\Mike Hoover\Desktop\SmitfraudFix\SmitfraudFix.zip"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-20 to 2012-04-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-20 10:52 . 2012-04-20 10:52 -------- d-----w- c:\documents and settings\Mike Hoover\Local Settings\Application Data\Sun
    2012-04-20 02:38 . 2012-04-20 02:37 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-04-19 11:50 . 2012-04-19 11:50 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-19 11:25 . 2012-04-19 11:25 -------- d-----w- c:\windows\nview
    2012-04-17 09:12 . 2012-04-17 09:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Seagate
    2012-04-17 01:48 . 2012-04-17 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\MemeoCommon
    2012-04-17 01:47 . 2012-04-17 09:13 -------- d-----w- c:\documents and settings\Mike Hoover\Application Data\Memeo
    2012-04-17 01:47 . 2012-04-17 01:47 -------- d-----w- c:\documents and settings\Mike Hoover\Application Data\Seagate
    2012-04-17 01:47 . 2012-04-17 01:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\Seagate
    2012-04-17 01:45 . 2012-04-17 01:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
    2012-04-17 01:45 . 2012-04-17 01:47 -------- d-----w- c:\program files\Common Files\Memeo
    2012-04-17 01:45 . 2012-04-17 01:46 -------- d-----w- c:\program files\Memeo
    2012-04-17 01:45 . 2012-04-20 11:07 -------- d-----w- c:\documents and settings\Mike Hoover\Local Settings\Application Data\temp
    2012-04-15 15:39 . 2012-04-15 15:39 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-04-15 12:15 . 2012-04-20 12:12 -------- d-----w- c:\windows\system32\CatRoot2
    2012-04-15 12:03 . 2001-08-18 02:36 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
    2012-04-15 12:02 . 2008-04-13 18:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
    2012-04-15 12:02 . 2001-08-17 18:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
    2012-04-15 12:02 . 2001-08-17 16:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
    2012-04-15 12:02 . 2001-08-17 18:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
    2012-04-15 12:02 . 2001-08-17 17:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
    2012-04-14 18:48 . 2012-04-15 12:38 -------- d-----w- C:\ERDNT
    2012-04-14 17:34 . 2012-04-14 17:34 -------- d-----w- c:\program files\Broadcom
    2012-04-14 17:26 . 2002-08-29 10:00 18944 ----a-w- c:\windows\system32\simptcp.dll
    2012-04-14 13:55 . 2012-04-14 13:55 -------- d-----w- c:\program files\CONEXANT
    2012-04-14 13:55 . 2002-10-07 16:29 11027 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
    2012-04-14 13:55 . 2002-10-07 16:17 69632 ----a-w- c:\windows\system32\mdmxsdk.dll
    2012-04-14 13:55 . 2002-10-09 17:50 170499 ----a-w- c:\windows\system32\drivers\HSFHWBS2.sys
    2012-04-14 13:55 . 2002-10-09 17:50 1175536 ----a-w- c:\windows\system32\drivers\HSF_DP.sys
    2012-04-14 13:55 . 2002-10-09 17:44 604240 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
    2012-04-14 13:46 . 2002-09-26 22:04 27786 ----a-w- c:\windows\system32\HSFCI004.dll
    2012-04-14 13:45 . 2001-08-22 12:42 13632 ----a-w- c:\windows\system32\drivers\omci.sys
    2012-04-13 22:34 . 2006-03-02 00:30 618880 ----a-w- c:\windows\system32\drivers\IntelC52.sys
    2012-04-13 22:34 . 2005-05-06 18:42 1339776 ----a-w- c:\windows\system32\drivers\IntelC51.sys
    2012-04-13 22:34 . 2005-05-06 18:40 47360 ----a-w- c:\windows\system32\drivers\IntelC53.sys
    2012-04-13 22:34 . 2005-05-06 18:40 36880 ----a-w- c:\windows\system32\drivers\mohfilt.sys
    2012-04-13 22:34 . 2005-05-06 18:39 172032 ----a-w- c:\windows\system32\intelmoh.dll
    2012-04-13 22:34 . 2005-05-06 18:39 49152 ----a-w- c:\windows\system32\mhwt.dll
    2012-04-11 12:00 . 2012-04-11 12:00 1409 ----a-w- c:\windows\QTFont.for
    2012-04-10 21:16 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-04-10 21:16 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
    2012-04-10 19:55 . 2007-04-26 14:21 302000 ----a-w- c:\windows\system32\drivers\fwdrv.sys
    2012-04-08 23:44 . 2012-04-08 23:44 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2012-04-08 20:26 . 2012-04-08 20:26 -------- d-----w- c:\program files\ERUNT
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-20 02:37 . 2010-08-03 01:12 567696 ----a-w- c:\windows\system32\deployJava1.dll
    2012-04-20 02:37 . 2008-03-18 23:50 141312 ----a-w- c:\windows\system32\javacpl.cpl
    2012-04-04 19:56 . 2010-05-01 12:23 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-01 01:25 . 2004-08-24 00:32 832512 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 01:25 . 2010-06-24 23:50 78336 ----a-w- c:\windows\system32\ieencode.dll
    2012-03-01 01:25 . 2002-08-29 10:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-03-01 01:25 . 2002-08-29 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2012-02-29 14:10 . 2002-08-29 10:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2002-08-29 10:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-25 13:11 . 2011-05-23 10:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-03 09:22 . 2002-08-29 10:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2001-02-27 00:16 . 2010-05-23 01:29 53295 ----a-w- c:\program files\opera\program\plugins\PlugDef.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
    "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
    "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
    "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-09-26 98304]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-26 296056]
    "Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-04-23 136416]
    "Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
    "Memeo Send"="c:\program files\Memeo\Memeo Send\MemeoLauncher.exe" [2009-11-05 236816]
    "Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]
    "nwiz"="nwiz.exe" [2003-07-28 323584]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    c:\documents and settings\Mike Hoover\Start Menu\Programs\Startup\
    Seagate Product Registration.lnk - c:\documents and settings\Mike Hoover\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2012-4-16 1731736]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-9-2 24576]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-09-30 86016]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
    "MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe"
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
    "c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
    .
    R1 fwdrv;Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fwdrv.sys [4/10/2012 3:55 PM 302000]
    R1 khips;Kerio HIPS Driver;c:\windows\SYSTEM32\DRIVERS\khips.sys [4/26/2007 10:21 AM 72624]
    R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [4/22/2010 8:33 PM 25824]
    R2 NgVpnMgr;Aventail VPN Client;c:\windows\SYSTEM32\ngvpnmgr.exe [5/18/2011 2:48 AM 290472]
    R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 12:42 PM 14088]
    R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [4/26/2007 10:21 AM 1234480]
    R3 NgLog;Aventail VPN Logging;c:\windows\SYSTEM32\DRIVERS\nglog.sys [5/18/2011 2:11 AM 27208]
    R3 NgVpn;Aventail VPN Adapter;c:\windows\SYSTEM32\DRIVERS\ngvpn.sys [5/18/2011 2:11 AM 81480]
    S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys --> c:\windows\system32\Drivers\mtk.sys [?]
    S3 NgFilter;Aventail VPN Filter;c:\windows\SYSTEM32\DRIVERS\ngfilter.sys [5/18/2011 2:11 AM 23112]
    S3 NgWfp;Aventail VPN Callout;c:\windows\SYSTEM32\DRIVERS\ngwfp.sys [5/18/2011 2:11 AM 25160]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    efs
    aegisp
    nsm1bus
    MRENDIS5
    NWADI
    w70n51
    s117bus
    ctaud2k
    netdevio
    rchost
    houdiniserver
    HFACSVC
    ctdvda2k
    atikmdag
    pciSd
    racsvc
    defwatch
    vpcnfltr
    Subsonic
    GT680x
    sskbfd
    aaksrv
    zntport
    vstor2-ws60
    lanusb
    procmon10
    w810bus
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3448474522-3304514054-2523392379-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
    .
    2012-04-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3448474522-3304514054-2523392379-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.google.com
    mWindow Title = Microsoft Internet Explorer
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - ProfilePath - c:\documents and settings\Mike Hoover\Application Data\Mozilla\Firefox\Profiles\h1ofpo0d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Myibidder (Myibay) Bid Sniper for eBay: firefox1@myibay.com - %profile%\extensions\firefox1@myibay.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-20 08:47
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(8032)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\windows\System32\SCardSvr.exe
    c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\System32\locator.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Seagate\Seagate Dashboard\MemeoDashboard.exe
    c:\program files\Memeo\AutoBackup\InstantBackup.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    c:\program files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-20 09:02:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-20 13:02
    ComboFix2.txt 2012-04-18 11:59
    ComboFix3.txt 2012-04-17 09:27
    ComboFix4.txt 2012-04-13 06:10
    ComboFix5.txt 2012-04-20 12:12
    .
    Pre-Run: 51,302,764,544 bytes free
    Post-Run: 51,291,750,400 bytes free
    .
    - - End Of File - - 348039502D412B9AABF1920D6A1699C5

  4. #64
    Member
    Join Date
    Apr 2012
    Posts
    46

    Default

    Hi Jeff. My system is running well. I mentioned some of these things before. These are things that don't seem right to me.

    When I send email, I get a pop-up window that someone is trying to access my email addresses or contact list or something and I have to "allow" it. This is driving me crazy. This may have something to do with the hard drive I added which embedded a toolbar into outlook (can you believe that?). And when I delete the toor bar, it shows up again the next time I reboot. I can't know for sure if this Outlook behavior is because of the external hard drive software or not.

    When I boot up, the system no longer sees my harddrive for some reason. I could probably fix that by removing all of the software for the product and starting over again. I'm sure I could fix it myself.

    I could problaby fix it by running Microsoft Fixit Center, but I cannot pull the software from Microsoft using their downloaded setup exe. And when I looked up this problem, they said it's usually caused by malware removal software that prevents certain exes from running on your PC. I can live without this, just don't know how often I'll encounter this sort of thing.

    Outside of those non-serious issues, everything's running well and I'm not noticing any issues.

  5. #65
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    This may have something to do with the hard drive I added which embedded a toolbar into outlook (can you believe that?)
    I would say that sounds accurate.
    ----------

    If your external hard drive is used through a USB port than it was ComboFix that stopped that. As a default action, ComboFix will stop all autorun features as a security measure. It is even recommended by Microsoft to not use the autorun feature any longer so that malware will not download and run automatically when you insert a USB drive or CD. If you want to access them you just need to manually run them.
    ----------

    Providing there are no other malware related problems...

    IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

    This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
    ----------

    The following will implement some cleanup procedures as well as reset System Restore points:

    Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
    Combofix /Uninstall
    (Note: There is a space between the ..X and the /U that needs to be there.)


    ----------

    Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

    Here are some tips to reduce the potential for spyware infection in the future:

    1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

    2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
    • Open Internet Explorer
    • Click on Tools > Internet Options
    • Press Security tab
    • Select Internet zone then place check next to Enable Protected Mode if not already done
    • Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
    • Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

    3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

    4. Firewall
    Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here. **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
    Online Armor Free
    Agnitum Outpost Firewall Free

    5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

    6. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

    7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

    Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

  6. #66
    Member
    Join Date
    Apr 2012
    Posts
    46

    Default

    Hello Jeff:

    I am confirming that my PC is in good shape and you can close this thread.

    Thank you thank you thank you so much for assisting me in getting rid of this malware. Please post information on how I can show my gratitude further and can contribute to keeping this great forum up and running. It's such a valuable resource.

    Thank you once again. I REALLY appreciate all of the help and assistance!

    Mike

  7. #67
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi Mike,

    Glad that it is back to running well. I am glad that we could be of help!

    Please post information on how I can show my gratitude further and can contribute to keeping this great forum up and running. It's such a valuable resource.
    You can go here to contribute if that is what you would like to do. It is very much appreciated.
    Last edited by jeffce; 2012-04-21 at 18:55.

  8. #68
    Member
    Join Date
    Apr 2012
    Posts
    46

    Default

    Hello Jeff:

    My Outlook email is back to normal. The storage device had its hooks in it and I uninstalled all of the features I did not want, and that solved that one issue.

    Also, I just made a donation through Paypal. I wanted to mention your name in there, but unfortunately, I didn't see a place to add a note. Sorry about that, but I did contribute.

    Thanks again,

    Mike

  9. #69
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

    If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
    ----------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •