windows update redirected and ie 7 hijacked

[seraphia]

I need help with this current issue.  Windows update gets redirected to can't load page and when iexplorer.exe is opened I get a memory reference error.

A lot of infections have been taken off the machine, AIS finds no infections with boot time scan, malwarebytes reports the same. PC Tools Internet Security 2011 says the machine is clean as well.  Scans have been run with system restore off, in safe mode with Rkill run first to stop any processes.

This is a last ditch effort before I wipe the machine.  I have attached a hijack this log.  IE8 was removed as an attempt to repair issues that is why it is running 7.

The process listed in the log labeled love is actually Rkill.

Can anyone see what I need to kill in the log attached?

[Pondus]

A lot of infections have been taken off the machine, AIS finds no infections with boot time scan, malwarebytes reports the same. PC Tools Internet Security 2011 says the machine is clean as well.  Scans have been run with system restore off, in safe mode with Rkill run first to stop any processes.

does this mean you have PCtools internet security and avast internet security installed   

Never install more then on AV and one firewall
running multiple AV programs can create all kinds of mysterious windows errors and False Positive detections

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

When and why a third-party antivirus software should be uninstalled?
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=574&nav=0,1

[Pondus]

A better log to post would be from OTS

Follow this guide form our expert malware remover Essexboy and post the log`s here
http://forum.avast.com/index.php?topic=53253.0
(do not post logs in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log )


Essexboy will check the log`s when he arrive later today

[seraphia]

NO - I installed and ran each program seperately.  MB first (in safe mode) with Rkill clearing the processes.  Then Boot Time Scan with AIS, it found nothing, as MB looks like it took care of most infections, then I uninstalled AIS and installed PCTOOLS IS and it only found low level spyware infections.  Uninstalled PCTOOLS with intent of putting AIS on permanently, however I am still having the issues I mentioned above.

Attached is the OTS log and the last few malwarebytes scans

[Pondus]

Malwarebytes have been updated 21 times since what your last log show, so you may want to update and try again

Essexboy is notified and usually arrives here in 2-3 hours

[seraphia]

I have noticed on a few other machines lately that Malwarebytes looked like it was in an update loop and that the updates were being downloaded, but not applied.  I just ran the updates for this machine and it shows database version 6078...........it that the most current you are referring too?

[Pondus]

yep, 6078 is latest and program 1.50.1.1100

If you open MBAM > settings >
here you can sett how many day it is outdated before you get a warning, default is 7, i use 1.
MBAM can have up to 10 updates on a day

[seraphia]

Ok, thank you.  I will run MB again and post a new OTS log when it is done, that is if it finds anything.

[magna86]

@seraphia
You may follow these instructions  

> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

> Run ComboFix.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Post log reports ( ComboFix.txt) back to topic.

[seraphia]

Yes thank you......I knew there was one more tool I was forgetting.  I will post all three logs when this scan is done.

[magna86]

If you wish you may wait Essexboy. He will also assist you with Malware Removal. Then post only OTS logs.  
If you want to immediately begin with cleaning malware, follow instructions for ComboFix and attach Combofix.txt log here.

 

[seraphia]

Looks like combofix did it.  Everything looks good, but I attached the log anyway.  If you would like to look at it for any residue that would be great.

[magna86]

--> Do not attach any USB memory until we finished with the cleaning.

Visit this website and remove remnants of McAfee antivirus.
http://uninstallers.blogspot.com/


--> Reboot the computer.


Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

File::
c:\program files\McAfee\SpamKiller\MSKDetct.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"=-

SecCenter::
{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
{94894B63-8C7F-4050-BDA4-813CA00DA3E8}

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8a,95,94,42,2e,17,42,41,8b,1a,46,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8a,95,94,42,2e,17,42,41,8b,1a,46,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"


Save this as CFScript.txt.



Close all browser windows and refering to the picture above.
Drag CFScript.txt into Combofix.exe. ComboFix will re-run.


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run. When finished, it will produce a log for you.
Attch the contents of the log in your next reply. (typical location: C:\ComboFix.txt )