Search Engine redirection virus - Free Antivirus Forum

Search Engine redirection virus

BullGuard Antivirus Forum > Virus Removal > Removal Help > Search Engine redirection virus

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Taquitos
New Member

Date Joined Aug 2008
Total Posts : 5

Posted 8-31-2008 12:26 (GMT +1)

After taking two days trying to manually get rid of the "Antivirus XP 2008" virus ( With success ) I somehow got a virus that slows my internet down to a slow jog, and redirects me when I click on links given to me by Google, Yahoo!, Blackle, Dogpile, and various others.

The sites I am redirected to usually have something to do with the site I wanted to go to, I.E. : searching for redirection virus and clicking on about any random link will bring me to a page like Antivirus XP 2008 on-line virus scan.

Some sites downright will not work. Attempting to go to certain sites will result in a page saying "Unable to Connect" telling me that firefox cannot establish a connection to the site. I noticed that two specific sites have that problem, Bleepingcomputer.com and geekstogo.com . This problem occurs on both Firefox and Internet Explorer.

Also, when I search with google, the search bar at the top ( the one that says what you just searched for ) does not work, absolutely nothing happens when I press enter or click the search button after my previous search has finished.

And Finally, when I have to restart my computer (for attempts at system restore or going into safe mode) I usually have to restart again because the login page freezes. The cursor stops blinking and the mouse won't move. I'm not entirely sure if this has anything to do with this redirection problem, but I think it might.

I was, to my nearly non-existent good fortune, able to get Hijack This! and CCleaner before my problem got to how it is at the moment.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:16 PM, on 8/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 4831 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 8-31-2008 4:46 (GMT +1)

Hello

Try to follow this ->

Please download Malwarebytes' Anti-Malware:

http://www.spywarefri.dk/downloads1/mbam-setup.exe

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply.

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Taquitos
New Member

Date Joined Aug 2008
Total Posts : 5

Posted 8-31-2008 7:15 (GMT +1)

Ok, Here is the log, had to find the program from an alternate site, since the normal site seems to be one of those that wont load because of the virus.

Malwarebytes' Anti-Malware 1.25
Database version: 1099
Windows 5.1.2600 Service Pack 3

1:10:47 AM 8/31/2008
mbam-log-08-31-2008 (01-10-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 70793
Time elapsed: 8 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Owner\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbcat.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\lphcgb9j0e77r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcgb9j0e77r.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 8-31-2008 7:50 (GMT +1)

Ok. Please tell which site you have downloaded it from ?

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Taquitos
New Member

Date Joined Aug 2008
Total Posts : 5

Posted 8-31-2008 8:27 (GMT +1)

Firstly, I used the site www.download.com
And here is the log: also, combofix seems to have changed my taskbar a bit. Can you tell me how to change it back to normal?

ComboFix 08-08-30.03 - Owner 2008-08-31 2:17:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1563 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_tdssserv

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.

2008-08-31 01:00 . 2008-08-31 01:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-31 01:00 . 2008-08-31 01:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-31 01:00 . 2008-08-31 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-31 01:00 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-31 01:00 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-30 17:41 . 2008-08-30 17:41 <DIR> d-------- C:\Program Files\CCleaner
2008-08-30 17:20 . 2008-08-30 17:20 <DIR> d-------- C:\Documents and Settings\Administrator.BUTTLER-0DCAC44
2008-08-30 17:00 . 2008-08-30 17:00 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-29 19:27 . 2008-08-29 19:27 <DIR> d-------- C:\Program Files\PremiumSoft
2008-08-29 19:27 . 2006-04-13 11:30 1,073,152 --a------ C:\WINDOWS\system32\libmysql_c.dll
2008-08-29 16:42 . 2008-08-29 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 00:24 . 2008-08-29 00:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Auslogics
2008-08-26 17:23 . 2008-08-31 02:20 <DIR> d-------- C:\Program Files\Steam
2008-08-25 20:47 . 2008-08-25 20:48 <DIR> d-------- C:\DVDVideoSoft
2008-08-24 23:58 . 2002-07-07 17:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-08-24 23:58 . 2006-06-20 03:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-08-22 21:05 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-08-22 21:04 . 2008-08-22 21:04 <DIR> d-------- C:\WINDOWS\Logs
2008-08-22 21:04 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-08-22 21:04 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-08-22 21:04 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-08-17 16:36 . 2008-08-17 16:36 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2008-08-17 16:36 . 2008-08-17 16:36 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2008-08-17 16:36 . 2008-08-17 16:36 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2008-08-13 19:59 . 2008-07-25 21:29 <DIR> d-------- C:\Documents and Settings\Owner\ArcEmu
2008-08-12 23:13 . 2008-08-12 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HeidiSQL
2008-08-12 21:13 . 2008-08-12 21:13 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-08-12 21:13 . 2008-08-12 21:13 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-08-12 21:13 . 2008-08-12 21:13 <DIR> d-------- C:\Program Files\MSBuild
2008-08-12 21:13 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-08-07 19:30 . 2008-08-07 19:30 <DIR> d-------- C:\Program Files\Axon Data
2008-08-07 19:03 . 2004-03-09 00:00 1,081,616 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-08-07 19:03 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-08-07 19:03 . 2004-03-09 00:00 440,352 --a------ C:\WINDOWS\system32\MSHFLXGD.OCX
2008-08-07 19:03 . 2001-05-11 12:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-08-07 19:03 . 2004-03-09 00:00 224,016 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-08-07 19:03 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-08-07 19:03 . 2004-03-09 00:00 200,224 --a------ C:\WINDOWS\system32\MCI32.OCX
2008-08-07 19:03 . 2004-03-09 00:00 152,848 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-08-07 19:03 . 2008-01-17 04:00 67,208 --a------ C:\WINDOWS\UnDeploy.exe
2008-08-06 20:02 . 2008-08-07 14:48 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator
2008-07-27 18:07 . 2008-07-27 18:07 <DIR> d-------- C:\Program Files\QuickTime
2008-07-27 18:07 . 2008-07-27 18:07 <DIR> d-------- C:\Program Files\iTunes
2008-07-27 18:07 . 2008-08-27 18:31 <DIR> d-------- C:\Program Files\iPod
2008-07-27 18:07 . 2008-07-27 18:07 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-27 18:07 . 2008-07-27 18:07 <DIR> d-------- C:\Program Files\Bonjour
2008-07-27 18:07 . 2008-07-27 18:07 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-27 18:07 . 2008-07-27 18:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-07-27 18:07 . 2008-07-27 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-27 18:06 . 2008-07-27 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-27 17:56 . 2008-08-27 21:13 <DIR> d-------- C:\Program Files\DivX
2008-07-27 17:56 . 2008-06-10 19:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-27 17:56 . 2008-06-10 19:07 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-07-27 17:56 . 2008-06-10 19:07 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-07-27 17:45 . 2008-08-27 21:15 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-22 20:17 . 2008-07-22 20:17 25 --a------ C:\WINDOWS\cdplayer.ini
2008-07-22 20:15 . 2008-07-22 20:15 <DIR> d-------- C:\Program Files\Real
2008-07-22 20:15 . 2008-07-22 20:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-22 20:15 . 2008-07-22 20:15 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-17 17:25 . 2008-04-14 07:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-17 16:26 . 2008-07-17 16:26 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-07-17 16:26 . 2008-07-17 16:26 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-07-17 16:26 . 2002-01-05 17:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-07-15 16:26 . 2008-08-30 17:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-13 15:05 . 2008-07-29 23:23 <DIR> d-------- C:\Program Files\Cheat Engine
2008-07-13 15:05 . 2007-12-26 19:30 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2008-07-13 15:05 . 2007-12-26 19:30 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-07-13 13:11 . 2008-07-13 13:11 <DIR> d-------- C:\Program Files\NifTools
2008-07-12 19:40 . 2008-07-12 19:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield Installation Information
2008-07-12 19:26 . 2008-07-12 19:26 <DIR> d-------- C:\Program Files\Unreal Tournament 3
2008-07-12 19:25 . 2008-07-12 19:25 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-07-12 19:25 . 2008-07-12 19:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 19:25 . 2008-07-12 19:25 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-07-06 13:11 . 2008-08-02 20:56 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-07-06 13:11 . 2008-08-03 22:58 77,466 --a------ C:\WINDOWS\War3Unin.dat
2008-07-06 13:11 . 2008-08-02 20:56 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-07-06 13:08 . 2008-08-23 09:03 <DIR> d-------- C:\Program Files\Warcraft III
2008-07-04 11:35 . 2008-07-04 11:35 2,359,350 --a------ C:\WINDOWS\darkportal-1024x.bmp
2008-07-04 11:34 . 2008-07-04 11:34 <DIR> d-------- C:\Program Files\Stardock
2008-07-04 11:34 . 2008-07-04 11:34 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-07-04 11:34 . 2003-02-27 00:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-07-04 11:34 . 2008-07-04 11:34 82 --a------ C:\WINDOWS\wb.ini
2008-07-04 09:16 . 2008-08-08 02:21 <DIR> d-------- C:\Program Files\CamStudio
2008-07-03 21:26 . 2008-07-03 21:26 <DIR> d-------- C:\WINDOWS\Sun
2008-07-03 07:57 . 2008-07-28 11:14 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-07-03 07:24 . 2008-07-03 07:25 <DIR> d-------- C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2008-07-03 07:24 . 2008-07-03 07:24 4,254 --a------ C:\WINDOWS\system32\WLAN.INI
2008-07-03 07:15 . 2008-07-03 07:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ideazon
2008-07-03 07:09 . 2008-07-03 07:09 <DIR> d-------- C:\Program Files\Ideazon
2008-07-03 07:09 . 2005-05-02 17:41 49,152 --a------ C:\WINDOWS\system32\ZboardConfig.cpl
2008-07-03 07:09 . 2003-09-03 09:14 49,152 --a------ C:\WINDOWS\system32\Winlognotif.dll
2008-07-03 07:09 . 2005-09-22 01:22 28,800 -ra------ C:\WINDOWS\system32\drivers\OmniUsb.sys
2008-07-03 07:09 . 2005-09-22 01:22 9,696 -ra------ C:\WINDOWS\system32\drivers\OmniUsbl.sys
2008-07-02 08:28 . 2008-04-14 07:41 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-02 08:28 . 2008-04-14 02:09 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-07-02 08:28 . 2008-04-14 02:09 14,592 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-07-02 08:28 . 2008-04-14 02:15 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-02 08:27 . 2008-04-14 02:15 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-02 08:27 . 2008-04-14 02:15 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-02 02:21 . 2008-06-13 06:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-02 02:21 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-02 01:00 . 2008-08-29 19:08 <DIR> d-------- C:\Program Files\World of Warcraft
2008-07-02 01:00 . 2008-07-02 01:18 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-02 00:50 . 2008-07-02 00:50 0 --a--c--- C:\WINDOWS\nsreg.dat
2008-07-02 00:46 . 2007-07-10 22:55 627,840 -ra------ C:\WINDOWS\system32\drivers\Envy24HF.sys
2008-07-02 00:46 . 2007-07-10 22:55 254,000 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-02 00:46 . 2007-07-10 22:55 254,000 -ra--c--- C:\WINDOWS\system32\Audio3D.dll
2008-07-02 00:46 . 2007-07-10 22:55 254,000 -ra------ C:\WINDOWS\system32\A3D.dll
2008-07-02 00:46 . 2007-07-10 22:55 6,656 -ra--c--- C:\WINDOWS\system32\enhfcpl.cpl
2008-07-02 00:45 . 2008-07-02 00:46 <DIR> d-------- C:\Program Files\VIA
2008-07-02 00:45 . 2007-07-10 22:55 331,184 -----c--- C:\WINDOWS\system32\difxapi.dll
2008-07-02 00:38 . 2006-06-29 13:07 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-02 00:33 . 2008-07-02 00:33 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2008-07-02 00:33 . 2008-07-02 00:33 <DIR> d-------- C:\Program Files\Paint.NET
2008-07-02 00:33 . 2008-07-02 00:33 <DIR> d-------- C:\Program Files\Google
2008-07-02 00:33 . 2006-10-04 21:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-02 00:33 . 2006-10-04 21:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-02 00:32 . 2008-07-02 00:33 <DIR> d-------- C:\Program Files\Picasa2
2008-07-02 00:32 . 2008-08-28 19:51 <DIR> d-------- C:\Program Files\Java
2008-07-02 00:32 . 2008-02-22 04:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-02 00:31 . 2008-07-02 00:31 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2008-07-02 00:31 . 2008-07-02 00:32 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-02 00:31 . 2008-08-29 00:25 <DIR> d-------- C:\Program Files\AusLogics Registry Defrag
2008-07-02 00:31 . 2008-07-02 00:31 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2008-07-02 00:27 . 2008-08-30 12:34 <DIR> d-------- C:\Program Files\a-squared Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 16:00 1,129,854 ---ha-w C:\Program Files\94474.bmp
2008-08-28 02:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 23:23 185,728 ---ha-w C:\Program Files\198447.jpg
2008-07-03 12:25 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-02 05:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-01 11:58 15,600 ----a-w C:\WINDOWS\gdrv.sys
2008-07-01 11:56 315,392 -c--a-w C:\WINDOWS\HideWin.exe
2008-07-01 11:56 --------- d-----w C:\Program Files\Realtek
2008-07-01 11:55 --------- d-----w C:\Program Files\DIFX
2008-07-01 11:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-07-01 11:24 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 07:00 15360]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-08-26 17:41 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 14:35 90112]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 21:51 39792]
"EnvyHFCPL"="C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe" [2007-07-10 22:55 495616]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-22 20:15 185896]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 11:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 12:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 12:51 289064]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 03:08 16380416 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-06-15 03:45 1826816 C:\WINDOWS\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"ZboardTray"="C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" [2005-05-02 17:41 380928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 01:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Zboard]
2003-09-03 09:14 49152 C:\WINDOWS\system32\Winlognotif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 07:42 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UnrealConsole.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\ArcEmu\\Database\\bin\\mysqld-nt.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\ArcEmu\\arcemu-world.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\ArcEmu\\arcemu-logonserver.exe"=
"C:\\Program Files\\Steam\\SteamApps\\heturseytu\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2007-07-10 22:55]
.
Contents of the 'Scheduled Tasks' folder

2008-08-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 19:57]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-inrhclb9j0e77r - C:\Documents and Settings\Owner\Local Settings\Temp\.tt4C7.tmp.exe
MSConfigStartUp-lphcgb9j0e77r - C:\WINDOWS\system32\lphcgb9j0e77r.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\uuqt6sbo.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 02:20:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-08-31 2:22:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-31 07:22:23

Pre-Run: 45,955,645,440 bytes free
Post-Run: 45,955,760,128 bytes free

251 --- E O F --- 2008-08-27 09:00:22

Taquitos
New Member

Date Joined Aug 2008
Total Posts : 5

Posted 8-31-2008 9:42 (GMT +1)

Nevermind that part about the taskbar, I got it back to normal

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 8-31-2008 11:35 (GMT +1)

Sounds good smile

combolog looks clean. So please tell how things are running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Taquitos
New Member

Date Joined Aug 2008
Total Posts : 5

Posted 8-31-2008 3:33 (GMT +1)

It's working just like new! Thank you so much!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 8-31-2008 4:37 (GMT +1)

Great

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
System Restore

Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.

Please read Tony Klein's excellent article: How I got Infected in the First Place

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Forum Information

Currently it is Saturday, January 10, 2009 1:24 AM (GMT +1)
There are a total of 66.010 posts in 16.187 threads.
In the last 3 days there were 18 new threads and 109 reply posts. View Active Threads