July 22nd, 2010, 01:11 PM
#1
Redirector and mail gremlin in residence
Been a LONG time since anything significant got past our defenses but something has. For about a week or so the wife has complained about Google searches being redirected to Asklots and other sites I'm sure are affiliated it. It seemed annoying at most until the other day when something mailed out adspam using our Hotmail contact list. It happened again last night. I have emptied the contacts list to prevent any further outbound mail. Haven't found anything using HJT but I hear it's less effective than it used to be. Here's a ComboFix log for starters, would appreciate an objective look:
Code:
<pre>
c:\program files\Free PDF to Word Doc Converter\pdfinfo .exe
</pre>
------- Sigcheck -------http://www.gmer.net
July 22nd, 2010, 05:04 PM
#2
Hey pop. Off to work now, but do the following and I'll look in when I can.open Notepad Click Start , then Run Type notepad.exe in the Run Box. copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::
RENV::
c:\program files\Free PDF to Word Doc Converter\pdfinfo .exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Save the above as CFScript.txt STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.re-enable all the programs that were disabled during the running of ComboFix:Please take note :CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely , the connection can be manually restored by restarting your machine. OTL Custom Scan box paste this in:Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt . These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy ) the contents of these files, one at a time, and post them back here.
July 22nd, 2010, 08:49 PM
#3
Here's the Combofix.txt; I'll post the two OTL files in a bit.http://www.gmer.net
July 22nd, 2010, 09:11 PM
#4
Part one:========== Processes (SafeList) ========== ========== Modules (SafeList) ========== ========== Win32 Services (SafeList) ========== ========== Driver Services (SafeList) ========== ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== http://www.yahoo.com/ http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)http://upload.facebook.com/controls/...oUploader5.cab (Facebook Photo Uploader 5 Control)http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)http://www1.snapfish.com/SnapfishActivia.cab (Snapfish Activia)http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)http://update.microsoft.com/microsof...?1175446167015 (WUWebControl Class)http://www.update.microsoft.com/micr...?1270150183796 (MUWebControl Class)http://aerial.leepa.org/ecwplugins/NCS.cab (Reg Error: Key error.)http://upload.facebook.com/controls/...Uploader55.cab (Facebook Photo Uploader 5 Control)http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)https://oca.microsoft.com/en/secure/ocarpt.CAB (OcarptMain Class)https://ediagnostics.lexmark.com/serval.cab (Lexmark eDiagnostics Class)http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)http://download.macromedia.com/pub/s...sh/swflash.cab (Shockwave Flash Object)http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)http://gfx2.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
July 22nd, 2010, 09:13 PM
#5
========== Files/Folders - Created Within 90 Days ========== ========== Files - Modified Within 90 Days ========== ========== Files Created - No Company Name ========== ========== LOP Check ========== ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS >
July 22nd, 2010, 09:14 PM
#6
Here's the third half of OTL.txt < MD5 for: ATAPI.SYS > < MD5 for: EVENTLOG.DLL > < MD5 for: NETLOGON.DLL > < MD5 for: SCECLI.DLL > < MD5 for: VIASRAID.SYS > < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > < %systemroot%\System32\config\*.sav > ========== Alternate Data Streams ==========
July 22nd, 2010, 09:23 PM
#7
I've tried four times to post Extras.txt in both Opera and IE, but each time I click Post Quick Reply the browser crashes - don't know if there's code in it the browser has trouble swallowing. I'm attaching it in .zip format instead. FYI.
July 22nd, 2010, 09:31 PM
#8
In case I didn't already mention it, system is XP Home w/SP3, all updates through last week. Have not been able to update anything Windows since this started, although Avira indicates it has updated today.. Also, I didn't install SteelWerX on the computer. From what I have seen so far about it, that might be my bad boy right there.
July 22nd, 2010, 09:36 PM
#9
Those logs look ok. Just do the following and then see how the pc is.Under the Custom Scans/Fixes
Code:
:Commands
[emptyflash]
[emptytemp]
[resethosts]
[Reboot]
Then click the Run Fix Let the program run unhindered, reboot the PC when it is done. Post the log from this run. Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
July 22nd, 2010, 09:37 PM
#10
Originally Posted by
lgbpop
In case I didn't already mention it, system is XP Home w/SP3, all updates through last week. Have not been able to update anything Windows since this started, although Avira indicates it has updated today.. Also, I didn't install SteelWerX on the computer. From what I have seen so far about it, that might be my bad boy right there.
Can you uninstall steelwerx from add/remove?
July 22nd, 2010, 10:36 PM
#11
No. If it's actually present I bet it's loaded each boot from a Registry entry. No uninstaller and no shortcut to it in the Startup folder.
July 22nd, 2010, 10:49 PM
#12
Add this to the OTL fix pop;
July 22nd, 2010, 11:23 PM
#13
I already moved those executables to the Recycle Bin so I could see what happens on the next boot. If need be I can restore them and let OTL do the moving, but it should work this way I bet. Here's the Fix log; new scan log will follow. BTW, just got two popup pages on new windows as I write this....
July 22nd, 2010, 11:30 PM
#14
latest scan log:========== Processes (SafeList) ========== ========== Modules (SafeList) ========== ========== Win32 Services (SafeList) ========== ========== Driver Services (SafeList) ========== ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== http://www.google.com/search?q={sear...e=utf8&oe=utf8 http://www.yahoo.com/ http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)http://upload.facebook.com/controls/...oUploader5.cab (Facebook Photo Uploader 5 Control)http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)http://www1.snapfish.com/SnapfishActivia.cab (Snapfish Activia)http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)http://update.microsoft.com/microsof...?1175446167015 (WUWebControl Class)http://www.update.microsoft.com/micr...?1270150183796 (MUWebControl Class)http://aerial.leepa.org/ecwplugins/NCS.cab (Reg Error: Key error.)http://upload.facebook.com/controls/...Uploader55.cab (Facebook Photo Uploader 5 Control)http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)https://oca.microsoft.com/en/secure/ocarpt.CAB (OcarptMain Class)https://ediagnostics.lexmark.com/serval.cab (Lexmark eDiagnostics Class)http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)http://download.macromedia.com/pub/s...sh/swflash.cab (Shockwave Flash Object)http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)http://gfx2.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
July 22nd, 2010, 11:31 PM
#15
========== Files/Folders - Created Within 90 Days ========== ========== Files - Modified Within 90 Days ========== ========== Files Created - No Company Name ========== ========== LOP Check ========== ========== Purity Check ========== ========== Alternate Data Streams ==========
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
Forum Rules
Reply With Quote
Originally Posted by lgbpop
