Infected with malware, IE redirect - DDS hangs system

Status
Not open for further replies.
Missed this one, it has to go.

Open OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code:
    :processes
    killallprocesses
    
    
    :OTL
    [2012/01/30 22:08:55 | 000,441,842 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120204-165854.backup
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    
    
    
    
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top. <--Not run Scan
  • Let the program run unhindered, reboot when it is done
  • Then post the results of the log it produces



Just post the log it produced, we will run another OTL scan after we run Combofix


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
ken545,

:D: :D: :D: :D:
Everything seems to have completed successfully.
I have attached the logs from the OTL-fix and the ComboFix.

I did re-enable all my anti-virus, anti-malware and firewall. Please let me know if I need to disable again.

I'm ready for the next step......

Much thanks,
Jess


ComboFix 12-02-13.01 - Brenda Poland 02/14/2012 20:27:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.496 [GMT -5:00]
Running from: c:\documents and settings\Brenda Poland\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Brenda Poland\fsmprint3.0.tmp
c:\documents and settings\Brenda Poland\PNPrint3.exe
c:\program files\INSTALL.LOG
c:\windows\kb913800.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))
.
.
2012-02-14 18:33 . 2012-02-14 18:33 -------- d-----w- C:\_OTL
2012-02-09 00:55 . 2012-02-09 00:55 -------- d-----w- c:\documents and settings\Brenda Poland\Application Data\Malwarebytes
2012-02-09 00:54 . 2012-02-09 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-09 00:54 . 2012-02-09 00:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-09 00:54 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-08 18:10 . 2012-02-08 18:10 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-08 14:09 . 2012-02-08 18:02 -------- d-----w- c:\program files\ERUNT
2012-02-07 18:31 . 2012-02-07 18:32 -------- d-----w- c:\program files\Safer Networking
2012-01-23 13:18 . 2012-01-23 13:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2005-08-16 08:18 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2005-08-16 08:18 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2005-08-16 08:18 60416 ----a-w- c:\windows\system32\packager.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-29 98304]
.
c:\documents and settings\Brenda Poland\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT1\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-28 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"NokiaOviSuite2"=c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"NokiaMServer"=c:\program files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/8/2012 7:54 PM 652360]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/16/2006 1:27 PM 36368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/8/2012 7:54 PM 20464]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 3:03 PM 280392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 10:06 AM 135664]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/15/2006 6:08 PM 345696]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 3:03 PM 923216]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 3:04 PM 566872]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 10:06 AM 135664]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [7/24/2011 8:07 PM 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [7/24/2011 8:07 PM 8576]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 15:06]
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 15:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page =
mStart Page =
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-14 20:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-02-14 20:38:59
ComboFix-quarantined-files.txt 2012-02-15 01:38
.
Pre-Run: 90,234,601,472 bytes free
Post-Run: 90,177,961,984 bytes free
.
- - End Of File - - A8CD8C4720C425CD35109766AA47E95E
 
Last edited by a moderator:
Looking good, where almost home.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the
    esetOnline.png
    button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on
      esetSmartInstall.png
      to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the
      esetSmartInstallDesktopIcon.png
      icon on your desktop.
  4. Check
    esetAcceptTerms.png
  5. Click the
    esetStart.png
    button.
  6. Accept any security warnings from your browser.
  7. Check
    esetScanArchives.png
  8. Make sure that the option "Remove found threats" is Unchecked
  9. Push the Start button.
  10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  11. When the scan completes, push
    esetListThreats.png
  12. Push
    esetExport.png
    , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  13. Push the
    esetBack.png
    button.
  14. Push
    esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
 
ken545,
Looks like there is still something lingering somewhere....

Here is the log from the latest ESET scan:

C:\Program Files\blstoolbar\blstoolbar.dll probably a variant of Win32/Adware.BHO.MegaSearch application


Thank you,
Jess
 
ken545,

I do have one issue and a few questions, if you could help, please?

  1. Should I uninstall ESET? My machine seems to be running slower with this installed.
  2. Can I delete C:\Program Files\blstoolbar\blstoolbar.dll even if it is not deemed a threat?
  3. Which of the download programs should I keep and which ones should I delete?
  4. How can I completely Delete temporary file like in OTL program? The user interface programs will not accomplish the same results.
  5. You had offered to give me some tips and links to free programs to install that can help you keep your system more secure. I would sure appreciate that so this does happen again.
    I thought my machine was protected. Any information will be read and implemented.

I really appreciated your help and incredible knowledge.
Thank you so so much!!
Jess
 
ken545,

I don't know what to do in this situation....
I enabled Tea Timer and it came up with a change

"NoDriveTypeAutoRun"
old data hex:91,00,00,00
new data 323

I had the same change came up when the malware starting.

What should I do?? :confused:

Thanks,
Jess
 
Jess,

See if this is in your Add Remove Programs and uninstall it if you wish.

C:\Program Files\blstoolbar



Spybot is a great program but I have not been a big fan of the TeaTimer, I would disable it

I believe this is related to your CD Rom drive and this is the entry you want to keep
"NoDriveTypeAutoRun"
old data hex:91,00,00,00


You can uninstall ESET, we dont need it anymore.


Follow this instructions, any programs that we used that are not removed you can just drag to the trash.

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


    CF-Uninstall.png



Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups




Safe Surfn
Ken
 
Ken,
Just wanted to give you an update on my machine.... It has been behaving itself. Yeah!! I can't thank you enough for your assistance. I thought I was dead in the water.
I've been using FireFox as you suggested. System seems to be running faster than before. (Like the available FF add-ons, still researching more.)
I have also been reading your suggested links, lots of good info! I've been in the process of implementing more security. Definitely will not let this happen again if I can help it.
I am a big fan and supporter of this forum. Will pass along the word to all others about the awesome forum, the great support by generous volunteers and the incredible information available.

forever grateful,
Jess Fixit
 
Thank you Jess,

This is totally up to you but the Pro Version of Malwarebytes has a protection module, if you should wander into a bad site by accident you will get a page not found and a pop up from Malwarebytes that it blocked a potentially malicious site, the cost is minimal, I have this on all my systems.

Well, its been a long hard ride, glad things are running well for you again,

Take care my friend,

Ken :)
 
Ken,
Could not have completed the journey without you. I've learned so much and will continue to keep my machine up to date with the correct tools.
I had decide to purchase the Pro version of Malwarebytes. I'm glad to know you also recommend it. I also decided to keep OTL. I found a tutorial and a "donate" for OldTimer. (Having a programming background, I think I can figure it out.) I'm all for learning new things and supporting organizations willing to make the web a safer place.
Is there an FF add-on similar to Tea Timer functions you would recommend? I'm liking FF more and more. Thanks for suggesting it.

Cheers,
Jess
 
The Protection Mod on Malwarebytes will work no matter what browser you use, I have been liking Chrome lately but FF is still my first love
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
Status
Not open for further replies.
Back
Top