• WELCOME
Welcome to the Myantispyware - free site offering help and assistance on spyware, malware and adware removal. As a guest you can only browse and view the various topics in the forums, but can not create a new topic and reply to an existing topic. If you are seeking help, you will need to be a logged into the forums with a registered account. Registering is free.
Click here to Create a free account and read How to use Spyware Removal Forum

Privacy Protection - Need help please

Moderator: Moderators

Privacy Protection - Need help please

Postby supr75 » Wed Nov 09, 2011 1:39 pm

Not sure what the problem is but no programs would open and a window opened up wanting me to activate some kind of anti virus protection/scanner I think it was called "Privacy Protection" I had to restart computer and quickly turn it off with windows task manager to even get opera to open. If you can you help me I would greatly appreciate it thanks. - supr75

My HijackThis Logfile:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:25:56 AM, on 11/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Jason Rose\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:59111
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [C41.exe] C:\Program Files\LP\43A6\C41.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jason Rose\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Privacy Protection] C:\Documents and Settings\All Users\Application Data\privacy.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1841249631
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5476 bytes
Last edited by 12056 on Fri Nov 11, 2011 2:08 am, edited 2 times in total.
Reason: ...Bolding entries that will be removed later...
supr75
 
Posts: 28
Joined: Thu Jan 29, 2009 6:44 am

Re: Privacy Protection - Need help please

Postby 12056 » Wed Nov 09, 2011 10:53 pm

Hello "supr75",

Please follow the instructions provided here.

If you have trouble at any point, please let me know!
I look forward to working with you...
Last edited by 12056 on Fri Nov 11, 2011 1:26 am, edited 1 time in total.
Reason: ...removing e-mail address to prevent spam...
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: Privacy Protection - Need help please

Postby supr75 » Thu Nov 10, 2011 1:26 am

Hi I followed all the instructions at the link you gave me but Privacy Protection still opens up when the computer is started up. anything else?

thanks,supr75
supr75
 
Posts: 28
Joined: Thu Jan 29, 2009 6:44 am

Re: Privacy Protection - Need help please

Postby 12056 » Thu Nov 10, 2011 1:29 am

I have submitted a ticket with Avira regarding this malware sample, tomorrow during their regular updates, a removal signature should be pushed to your machine allowing you to remove the infection.
If Avira fails to remove this threat, please let me know so that we can try an alternate removal method...
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: Privacy Protection - Need help please

Postby supr75 » Thu Nov 10, 2011 7:33 pm

Hi I tried updating Avira but it does not work I can't update any programs or use any browsers.

-supr75
supr75
 
Posts: 28
Joined: Thu Jan 29, 2009 6:44 am

Re: Privacy Protection - Need help please

Postby 12056 » Thu Nov 10, 2011 7:52 pm

I'm sorry your having trouble, the BleepingComputer.com Guide was designed to help users detect and remove most variants of Privacy Protection, but you may have a new one!
Did you have trouble on any of the steps, or get a result that wasn't expected?
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: Privacy Protection - Need help please

Postby supr75 » Thu Nov 10, 2011 10:18 pm

I followed all the instructions and it all looked like it was going OK & after MBAM finished scanning & removed all the listed malware it rebooted but after the privacy protection was still there.
Should I run through it all again?

-supr75
supr75
 
Posts: 28
Joined: Thu Jan 29, 2009 6:44 am

Re: Privacy Protection - Need help please

Postby 12056 » Fri Nov 11, 2011 1:23 am

Ok, It seems like MBAM is having a hard time removing this threat, I have informed them of this here.

Let's try using a specialized tool called "Combofix".

1. Boot into "Safe Mode with Networking" as before.
2. Download Combofix from here, use the BleepingComputer.com link.
3. Double-Click the newly downloaded file, and allow it to scan (generally takes ~10-15 minutes, more on heavily infected system).
4. Combofix will restart your computer when it has finished scanning, it will also create and open a log file at the next log-on.

--> Please post the contents of the log file that pops up after the reboot.
---> Combofix will attempt to repair the system of this threat, please let me know if there are still any apparent symptoms.
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: Privacy Protection - Need help please

Postby supr75 » Fri Nov 11, 2011 7:19 am

YES THANK YOU SO MUCH ! That removed privacy protection but I still can't get a internet connection with any browsers or update anything. I will post log file next.

-supr75
supr75
 
Posts: 28
Joined: Thu Jan 29, 2009 6:44 am

Re: Privacy Protection - Need help please

Postby supr75 » Fri Nov 11, 2011 7:19 am

ComboFix 11-11-10.03 - Jason Rose 11/11/2011 0:40.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.359 [GMT -8:00]
Running from: c:\documents and settings\Jason Rose\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\privacy.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Jason Rose\Local Settings\Application Data\{F85FB42E-8680-4D66-853D-3D8DA085C7B4}
c:\documents and settings\Jason Rose\Local Settings\Application Data\{F85FB42E-8680-4D66-853D-3D8DA085C7B4}\chrome.manifest
c:\documents and settings\Jason Rose\Local Settings\Application Data\{F85FB42E-8680-4D66-853D-3D8DA085C7B4}\chrome\content\_cfg.js
c:\documents and settings\Jason Rose\Local Settings\Application Data\{F85FB42E-8680-4D66-853D-3D8DA085C7B4}\chrome\content\overlay.xul
c:\documents and settings\Jason Rose\Local Settings\Application Data\{F85FB42E-8680-4D66-853D-3D8DA085C7B4}\install.rdf
c:\documents and settings\Jason Rose\Local Settings\Application Data\559c217f
c:\documents and settings\Jason Rose\Local Settings\Application Data\559c217f\@
c:\documents and settings\Jason Rose\Local Settings\Application Data\559c217f\X
c:\program files\Avira\AntiVir Desktop\aerdl.dll
c:\program files\Avira\AntiVir Desktop\aesbx.dll
c:\program files\Avira\AntiVir Desktop\aescn.dll
c:\program files\Avira\AntiVir Desktop\FAILSAFE\aerdl.dll
c:\program files\Avira\AntiVir Desktop\FAILSAFE\aesbx.dll
c:\program files\Avira\AntiVir Desktop\FAILSAFE\aescn.dll
c:\program files\LP
c:\program files\LP\43A6\2.tmp
c:\program files\LP\43A6\C41.exe
c:\windows\$NtUninstallKB35612$
c:\windows\$NtUninstallKB35612$\1436295551\@
c:\windows\$NtUninstallKB35612$\1436295551\L\irnhwsty
c:\windows\$NtUninstallKB35612$\45009217
c:\windows\system32\c_44580.nl_
c:\windows\tsoc.log
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-10 01:57 . 2011-11-10 01:57 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-10 01:47 . 2011-11-10 01:47 -------- d-----w- c:\documents and settings\Administrator
2011-11-09 21:30 . 2008-04-13 20:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-11-09 21:30 . 2008-04-13 20:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-11-09 12:07 . 2011-11-09 12:07 -------- d-----w- c:\program files\29B81
2011-11-09 11:59 . 2011-11-09 11:59 -------- d-----w- c:\documents and settings\Jason Rose\Application Data\64D29
2011-10-18 13:20 . 2011-11-09 21:31 -------- d-----w- c:\windows\system32\NtmsData
2011-10-18 13:13 . 2011-10-18 13:13 -------- d-----w- c:\documents and settings\Jason Rose\Application Data\Avira
2011-10-18 13:12 . 2011-10-11 22:00 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-18 13:12 . 2011-10-11 22:00 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-10-18 13:12 . 2011-10-11 22:00 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-18 13:11 . 2011-10-18 13:11 -------- d-----w- c:\program files\Avira
2011-10-18 13:11 . 2011-10-18 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2002-09-03 16:50 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2002-09-03 16:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2002-09-03 16:29 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2002-09-03 17:11 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 01:00 . 2010-11-04 06:39 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2006-06-23 18:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2002-09-03 16:39 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2002-09-03 16:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2002-09-03 16:27 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-12 21:13 . 2011-09-12 21:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule TCP
"4672:UDP"= 4672:UDP:eMule UDP
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/18/2011 5:12 AM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/18/2011 5:12 AM 86224]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [5/6/2011 10:03 AM 191752]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1409082233-725345543-1004Core.job
- c:\documents and settings\Jason Rose\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-11 14:41]
.
2011-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1409082233-725345543-1004UA.job
- c:\documents and settings\Jason Rose\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-11 14:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyServer = http=127.0.0.1:57677
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jason Rose\Application Data\Mozilla\Firefox\Profiles\9by2o24z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BSRTDF&PC=BBSR&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=BSRTDF&PC=BBSR&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 57677
FF - prefs.js: network.proxy.type - 1
FF - user.js: general.useragent.extra.brc - BRI/1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Privacy Protection - c:\documents and settings\All Users\Application Data\privacy.exe
HKLM-Run-C41.exe - c:\program files\LP\43A6\C41.exe
SafeBoot-08070145.sys
AddRemove-WOLAPI - c:\westwood\internet\UninstAP.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 00:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1852)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-11-11 01:03:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-11 09:02
.
Pre-Run: 22,593,589,248 bytes free
Post-Run: 22,833,721,344 bytes free
.
- - End Of File - - 09384717AC0B6422CCCDAE36DBEA7336
supr75
 
Posts: 28
Joined: Thu Jan 29, 2009 6:44 am

Re: Privacy Protection - Need help please

Postby 12056 » Fri Nov 11, 2011 5:56 pm

I'm glad Combofix was successful in removing the active threat "Privacy Protection", please use the below notes and instructions to remove any dormant hijacks and prevent future infection(s).
NOTE: I noticed in your log file that your system has a peer-to-peer program known as "eMule", I strongly recommend that you un-install it to prevent future infections!

Let's run a Combofix Script:

Please open notepad, and copy and paste the below code into it...

Code: Select all
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:57677

Firefox::
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 57677
FF - prefs.js: network.proxy.type - 1


Save this file as CFScript.txt
Then, Drag and Drop the CFScript.txt file onto the Combofix.exe file to launch the removal script.

Combofix, will fix the hijacked settings I listed, and then restart your computer.
Upon restart, a new log file will be created, please post it!

The script removed an infected proxy server setting related to the malware we removed earlier.
We need to reset your DNS cache:

1. Click Start, Then Run, in the box type: ipconfig /flushdns and then click OK.
A black window will flash on the screen and then disappear, this is normal!

Next, The rouge "Privacy Protection" is known to be bundled with a bootkit known as TDSS, while your computer may not display any obvious signs of infection, you still may be infected!

1. Download TDSS Killer from here.
2. Use the guide on the Kaspersky website here, to "Cure" infected items and "Skip" Suspicious ones until I can analyze them further.
3. After using TDSS, it will produce a log file of items that it detected along with the MD5s of all drivers on your machine, please post this log in your next post.

--> Please post the new Combofix log (after running the CFScript.txt) and the new TDSSKiller log file for review.
---> You should now be able to update and browse without redirections!
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: Privacy Protection - Need help please

Postby supr75 » Fri Nov 11, 2011 8:28 pm

Hi I Dragged and Drop the CFScript.txt file onto the Combofix.exe file to launch after it was done it created a new log file but did not restart this time.I have not run TDSS Killer or Click Start, Then Run, in the box type: ipconfig /flushdns and then click OK yet .Every time I do Click the mouse over the box and begin typing but then the mouse will freeze and I can't type anything I have restarted a couple of times but it freezes every time.I have also removed emule as well
I will post the logfile next

-supr5
supr75
 
Posts: 28
Joined: Thu Jan 29, 2009 6:44 am

Re: Privacy Protection - Need help please

Postby 12056 » Fri Nov 11, 2011 11:51 pm

...I removed the log file for sake of topic size...

It's odd that your mouse and computer are freezing up, Combofix did not remove any more files or legit settings.
Can you tell me what step this problem started occurring, for example: after removing eMule, after Combofix, etc...

Also, I noticed that Combofix didn't remove the proxy settings from Firefox, so please remove them manually:
1. Open Firefox and drop-down the Tools menu.
2. Options -> Advanced -> Network -> Connection (Settings)
3. Select the "No Proxy" option, and click OK
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: Privacy Protection - Need help please

Postby supr75 » Sat Nov 12, 2011 9:10 am

Hi I just wanted to thank you for all the help you have given me I really appreciate it.
I was able to copy/paste ipconfig /flushdns into the run box and then I ran TDSS Killer it said zero threats found and it did not create a logfile. Also it still freezes when I use the keyboard and I still can't get a connection with the browsers and last thing I opened firefox and changed it to no proxy .
thanks,supr75
supr75
 
Posts: 28
Joined: Thu Jan 29, 2009 6:44 am

Re: Privacy Protection - Need help please

Postby 12056 » Sat Nov 12, 2011 4:04 pm

Is there a "System Restore" or Back-Up you could use, to restore your computer to a more stable time period?
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Next

Return to Archived Logs

Who is online

Users browsing this forum: No registered users and 1 guest

cron