Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Explorer is redirecting via malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Explorer is redirecting via malware

Unread postby slewrate » December 16th, 2008, 5:08 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:04 PM, on 16/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\lxdfcoms.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://shop.antivir-pe.de/en?U2VyaWFsP ... 0yMDA3Ig==
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2855bc8c-23dc-4e98-b651-7224b8f5dd14} - C:\WINDOWS\system32\pabinula.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"
O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"
O4 - HKLM\..\Run: [Lexmark 6500 Series Fax Server] "C:\Program Files\Lexmark 6500 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TICK INSIDE TIME WAY] C:\Documents and Settings\All Users.WINDOWS\Application Data\2 tray tick inside\List two.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [tigogakola] Rundll32.exe "C:\WINDOWS\System32\juborafe.dll",s
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [044ac98e] rundll32.exe "C:\WINDOWS\system32\podobira.dll",b
O4 - HKLM\..\Run: [CPM0779fa12] Rundll32.exe "c:\windows\system32\vapuhonu.dll",a
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [tigogakola] Rundll32.exe "C:\WINDOWS\System32\juborafe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=26688
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\pabinula.dll c:\windows\system32\ziperame.dll c:\windows\system32\vapuhonu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ziperame.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ziperame.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\System32\lxdfcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7113 bytes
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm
Advertisement
Register to Remove

Re: Explorer is redirecting via malware

Unread postby andyspeake » December 16th, 2008, 7:39 pm

Hello, and Welcome :)
I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Explorer is redirecting via malware

Unread postby slewrate » December 16th, 2008, 11:05 pm

Thank You. Kindly note that I have just observed that rundll is tryring to run windows\system32\juborafe.dll which is not there and I get a message saying so. This is linked to trojan BHO activity. I don't really like pabinula.ddl a BHO. This message appears everytime I boot. Thanks for the help in advance. I'm sorry about the double post since the IE exploded while I was submitting both times. I latter logged to see both posts.
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: Explorer is redirecting via malware

Unread postby andyspeake » December 17th, 2008, 11:50 am

Hi :)

Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found here.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Explorer is redirecting via malware

Unread postby slewrate » December 17th, 2008, 12:59 pm

After running these, the IE lauched by itself and ended up at funbox.com, so at this point I still have issues. Thanks in advance for the additional help.

ComboFix log
ComboFix 08-12-16.03 - snowy 2008-12-17 12:37:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.212 [GMT -4:00]
Running from: c:\win\ComboFix\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_003160_.tmp.dll
c:\windows\system32\_003163_.tmp.dll
c:\windows\system32\_003166_.tmp.dll
c:\windows\system32\ajabukol.ini
c:\windows\system32\akedikut.ini
c:\windows\system32\aribodop.ini
c:\windows\system32\asivutej.ini
c:\windows\system32\azeramef.ini
c:\windows\system32\bizituwu.dll
c:\windows\system32\dupekayi.dll
c:\windows\system32\egupukay.ini
c:\windows\system32\gakemojo.dll
c:\windows\system32\gobijadi.dll
c:\windows\system32\hohebalo.dll
c:\windows\system32\imavazob.ini
c:\windows\system32\kofusipo.dll
c:\windows\system32\lokubaja.dll
c:\windows\system32\lotoyeyo.dll
c:\windows\system32\mulivusi.dll
c:\windows\system32\olikehez.ini
c:\windows\system32\opisufok.ini
c:\windows\system32\orolikis.ini
c:\windows\system32\osinufup.ini
c:\windows\system32\owegujip.ini
c:\windows\system32\podobira.dll
c:\windows\system32\pufuniso.dll
c:\windows\system32\roboketu.dll
c:\windows\system32\senazisa.dll
c:\windows\system32\sikiloro.dll
c:\windows\system32\tukideka.dll
c:\windows\system32\udazales.ini
c:\windows\system32\ujodufin.ini
c:\windows\system32\ukujayun.ini
c:\windows\system32\vapuhonu.dll
c:\windows\system32\worapupi.dll
c:\windows\system32\wukebeji.dll
c:\windows\system32\yakupuge.dll
c:\windows\system32\yebizopo.dll
c:\windows\system32\yizofuyu.dll
c:\windows\system32\yuvamati.dll
c:\windows\system32\ziperame.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-16 15:58 . 2008-12-16 15:58 <DIR> d-------- c:\program files\Trend Micro
2008-12-16 00:20 . 2008-12-16 00:20 772,652 --a------ c:\documents and settings\All Users.aawqff
2008-12-15 21:31 . 2008-12-15 21:31 147 --a------ c:\windows\RtlRack.ini
2008-12-15 21:29 . 2002-07-26 08:43 151,552 --a------ c:\windows\system32\igfxres.dll
2008-12-15 20:13 . 2002-04-23 11:12 208,896 --------- c:\windows\alcupd.exe
2008-12-15 20:13 . 2001-07-06 00:19 164 --------- c:\windows\avrack.ini
2008-12-15 20:03 . 2008-12-15 20:54 <DIR> d-------- c:\documents and settings\snowy\Application Data\U3
2008-12-15 18:39 . 2008-12-15 18:40 <DIR> d-------- c:\documents and settings\Ray
2008-12-15 16:39 . 2008-12-15 17:13 316,640 --a------ c:\windows\WMSysPr9.prx
2008-12-15 16:39 . 2004-08-04 00:56 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-15 16:38 . 2004-08-04 00:56 239,616 --------- c:\windows\system32\wstrenderer.ax
2008-12-15 16:38 . 2004-08-04 00:56 164,352 --------- c:\windows\system32\wstpager.ax
2008-12-15 16:38 . 2004-08-04 00:56 96,768 -----c--- c:\windows\system32\dllcache\dpcdll.dll
2008-12-15 16:38 . 2004-08-04 00:56 53,248 --------- c:\windows\system32\vbicodec.ax
2008-12-15 16:38 . 2004-08-03 22:59 9,728 --------- c:\windows\system32\comsdupd.exe
2008-12-15 16:31 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2008-12-15 16:30 . 2004-07-17 11:40 19,528 --a------ c:\windows\002521_.tmp
2008-12-15 16:30 . 2004-08-03 22:42 15,872 --a------ c:\windows\system32\spupdsvc.exe
2008-12-15 16:03 . 2004-08-04 00:56 96,768 --a------ c:\windows\system32\dpcdll.dll
2008-12-15 15:59 . 2004-08-04 00:56 2,940,928 --a------ c:\windows\system32\wmploc.dll
2008-12-15 14:13 . 2002-06-14 18:46 19,274 --a------ c:\windows\000001_.tmp
2008-12-15 13:46 . 2002-05-07 14:34 716,800 --------- c:\windows\NuNInst.exe
2008-12-15 13:46 . 2002-05-22 03:02 336,768 --------- c:\windows\system32\drivers\bsudf.sys
2008-12-15 13:46 . 2002-03-11 09:57 74,640 --------- c:\windows\NuNInst.cfg
2008-12-15 13:46 . 2002-05-01 12:05 9,088 --------- c:\windows\system32\drivers\bsstor.sys
2008-12-09 17:38 . 2008-12-09 17:38 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Messenger Plus!
2008-12-08 20:17 . 2008-12-08 20:17 <DIR> d-------- c:\program files\Windows Live
2008-12-08 20:17 . 2008-12-08 20:17 <DIR> d-------- c:\program files\Messenger Plus! Live
2008-12-08 20:05 . 2008-12-08 20:05 <DIR> d-------- c:\program files\open internet active
2008-12-08 20:04 . 2008-12-08 20:05 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\2 tray tick inside
2008-12-08 20:03 . 2008-12-08 20:04 <DIR> d-------- c:\program files\MessengerPlus! 3
2008-12-08 19:52 . 2008-12-17 12:41 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-08 19:52 . 2008-12-08 19:52 1,409 --a------ c:\windows\QTFont.for
2008-12-07 21:33 . 2008-12-14 20:18 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-07 21:32 . 2008-12-07 21:32 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-07 21:32 . 2008-12-07 21:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-03 07:19 . 2008-12-03 07:19 <DIR> d-------- c:\documents and settings\Guest\Application Data\6500 Series
2008-12-03 07:19 . 2008-12-03 07:19 <DIR> d-------- c:\documents and settings\Guest
2008-12-01 19:40 . 2004-08-03 23:07 171,776 --a------ c:\windows\system32\drivers\kmixer.sys
2008-12-01 19:40 . 2004-08-03 22:39 142,464 --a------ c:\windows\system32\drivers\aec.sys
2008-12-01 19:40 . 2004-08-03 23:15 82,944 --a------ c:\windows\system32\drivers\wdmaud.sys
2008-12-01 19:40 . 2004-08-03 23:15 60,800 --a------ c:\windows\system32\drivers\sysaudio.sys
2008-12-01 19:40 . 2001-08-17 14:00 54,272 --a------ c:\windows\system32\drivers\swmidi.sys
2008-12-01 19:40 . 2001-08-17 14:00 54,272 --a--c--- c:\windows\system32\dllcache\swmidi.sys
2008-12-01 19:40 . 2004-08-03 23:07 52,864 --a------ c:\windows\system32\drivers\dmusic.sys
2008-12-01 19:40 . 2004-08-03 23:07 6,400 --a------ c:\windows\system32\drivers\splitter.sys
2008-12-01 19:40 . 2004-08-03 23:07 2,944 --a------ c:\windows\system32\drivers\drmkaud.sys
2008-12-01 19:39 . 2002-08-02 18:10 659,228 --a------ c:\windows\system32\drivers\ALCXWDM.SYS
2008-12-01 19:39 . 2004-08-04 00:56 192,000 --a------ c:\windows\system32\iuengine.dll
2008-12-01 19:39 . 2004-08-03 23:15 145,792 --a------ c:\windows\system32\drivers\portcls.sys
2008-12-01 19:39 . 2004-08-03 23:15 145,792 --a--c--- c:\windows\system32\dllcache\portcls.sys
2008-12-01 19:39 . 2004-08-03 23:08 60,288 --a------ c:\windows\system32\drivers\drmk.sys
2008-12-01 19:39 . 2004-08-03 23:08 60,288 --a--c--- c:\windows\system32\dllcache\drmk.sys
2008-12-01 19:39 . 2004-08-04 00:56 23,552 --a------ c:\windows\system32\wdmaud.drv
2008-12-01 14:39 . 2008-12-01 14:39 <DIR> d-------- c:\documents and settings\snowy\WINDOWS
2008-12-01 14:39 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-01 09:41 . 2008-12-01 09:41 <DIR> d-------- c:\documents and settings\snowy\Application Data\6500 Series
2008-12-01 09:40 . 2008-12-01 09:41 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Lx_cats
2008-12-01 09:36 . 2008-12-01 09:36 <DIR> d-------- C:\logs
2008-12-01 09:36 . 2007-05-03 15:50 348,160 --a------ c:\windows\system32\lxdfcoin.dll
2008-12-01 09:36 . 2006-08-01 01:53 40,960 --a------ c:\windows\system32\lxdfvs.dll
2008-12-01 09:35 . 2007-05-24 16:24 692,224 --a------ c:\windows\system32\lxdfdrs.dll
2008-12-01 09:35 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2008-12-01 09:35 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2008-12-01 09:35 . 2007-04-17 10:17 69,632 --a------ c:\windows\system32\lxdfcnv4.dll
2008-12-01 09:35 . 2007-05-22 10:09 65,536 --a------ c:\windows\system32\lxdfcaps.dll
2008-12-01 09:35 . 2007-05-24 07:41 45,056 --a------ c:\windows\system32\LXDFPMON.DLL
2008-12-01 09:35 . 2007-05-24 07:41 32,768 --a------ c:\windows\system32\LXDFFXPU.DLL
2008-12-01 09:34 . 2008-12-01 09:34 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint
2008-12-01 09:34 . 2008-12-01 09:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\6500 Series
2008-12-01 09:34 . 2006-06-02 17:12 339,968 --a------ c:\windows\system32\IMGMAN32.DLL
2008-12-01 09:34 . 2006-06-02 17:12 98,345 --a------ c:\windows\system32\IMHOST32.DLL
2008-12-01 09:34 . 2006-06-02 17:12 98,304 --a------ c:\windows\system32\IM31XPNG.DEL
2008-12-01 09:34 . 2007-04-09 10:59 69,632 --a------ c:\windows\system32\lxdfoem.dll
2008-12-01 09:34 . 2006-06-02 17:12 69,632 --a------ c:\windows\system32\IM31XTIF.DEL
2008-12-01 09:34 . 2006-06-02 17:12 49,152 --a------ c:\windows\system32\IM31IMG.DIL
2008-12-01 09:32 . 2008-12-01 09:41 <DIR> d-------- c:\program files\Lexmark 6500 Series
2008-12-01 08:23 . 1993-03-22 03:55 103,968 --a------ c:\windows\TYPECASE.EXE
2008-12-01 08:23 . 1993-03-24 05:23 55,789 --a------ c:\windows\TYPECASE.HLP
2008-12-01 08:23 . 2008-12-01 08:24 46,482 --a------ c:\windows\typecase.ini
2008-12-01 08:23 . 2008-12-01 08:23 37 --a------ c:\windows\progman.ini
2008-12-01 07:57 . 2008-12-01 07:57 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\ZoomBrowser
2008-12-01 07:54 . 2001-08-17 22:36 146,944 --a------ c:\windows\system32\ptpusd.dll
2008-12-01 07:54 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-01 07:54 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-01 07:18 . 2008-12-01 07:18 <DIR> d-------- c:\program files\iTunes
2008-12-01 07:18 . 2008-12-01 07:18 <DIR> d-------- c:\program files\iPod
2008-12-01 07:18 . 2008-12-01 07:18 <DIR> d-------- c:\documents and settings\snowy\Application Data\Apple Computer
2008-12-01 07:17 . 2008-12-01 07:17 <DIR> d-------- c:\program files\Apple Software Update
2008-12-01 07:17 . 2008-12-01 07:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-12-01 07:17 . 2008-12-01 07:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2008-12-01 06:45 . 2008-12-01 06:45 <DIR> d---s---- c:\documents and settings\snowy\UserData
2008-11-30 21:15 . 2008-11-30 21:15 <DIR> d-------- c:\program files\Avira
2008-11-30 21:15 . 2008-11-30 21:15 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2008-11-30 20:55 . 2008-11-30 20:55 <DIR> d---s---- c:\windows\system32\Microsoft
2008-11-30 20:55 . 2008-11-30 20:55 <DIR> d-------- c:\program files\Lavasoft
2008-11-30 20:55 . 2008-11-30 20:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-30 20:55 . 2008-11-30 20:57 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2008-11-30 20:51 . 2008-12-01 14:39 <DIR> d-------- c:\documents and settings\snowy
2008-11-30 20:48 . 2008-11-30 20:49 <DIR> d--h----- c:\windows\msdownld.tmp
2008-11-30 20:46 . 2008-11-30 20:46 <DIR> d-------- c:\windows\Cache
2008-11-30 20:42 . 2008-12-16 12:08 <DIR> d-------- C:\arch
2008-11-30 20:35 . 2008-11-30 20:35 <DIR> d-------- c:\program files\ZoneAlarmSB
2008-11-30 20:34 . 2008-11-30 20:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\MailFrontier
2008-11-30 20:33 . 2008-12-17 12:41 <DIR> d-------- c:\windows\Internet Logs
2008-11-30 20:05 . 2008-11-30 20:05 <DIR> d-------- c:\program files\Common Files\L&H

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 16:41 982,248 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-17 16:23 183,808 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-12-17 16:23 1,530,880 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-12-17 16:21 1,530,880 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-12-16 05:42 --------- d-----w c:\program files\Accessories
2008-12-16 00:13 --------- d-----w c:\program files\AvRack
2008-12-15 22:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-15 22:16 234,496 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-12-15 22:16 1,471,488 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-12-15 17:48 --------- d-----w c:\program files\Ahead
2008-12-10 22:39 639,488 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-12-10 22:39 1,447,936 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-12-09 00:44 1,454,592 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-12-09 00:17 --------- d-----w c:\program files\MSN Messenger
2008-12-09 00:06 1,460,224 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-12-08 01:32 --------- d-----w c:\program files\Java
2008-12-01 18:45 --------- d-----w c:\program files\Common Files\Adobe
2008-12-01 12:09 --------- d-----w c:\program files\Canon
2008-12-01 11:17 --------- d-----w c:\program files\QuickTime
2008-11-30 23:35 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\MSN6
2008-11-30 23:22 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-30 20:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-30 20:00 --------- d-----w c:\documents and settings\P. Blanchard\Application Data\LimeWire
2008-11-30 18:18 --------- d-----w c:\documents and settings\P. Blanchard\Application Data\Weather Studio
2008-11-13 21:10 --------- d-----w c:\documents and settings\P. Blanchard\Application Data\U3
2005-10-12 17:54 20,798,256 ----a-w c:\program files\AdbeRdr70_enu_full.exe
2005-10-12 17:52 6,811,904 ----a-w c:\program files\psa2011se_us.exe
2005-10-12 17:51 494,704 ----a-w c:\program files\ytb02_efgsip.exe
2004-12-13 14:08 271 --sh--w c:\program files\desktop.ini
2004-12-13 14:08 21,952 ---ha-w c:\program files\folder.htt
2008-09-15 22:35 96,256 --sha-w c:\windows\system32\derasafe.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-11-14 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"lxdfmon.exe"="c:\program files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"TICK INSIDE TIME WAY"="c:\documents and settings\All Users.WINDOWS\Application Data\2 tray tick inside\List two.exe" [2008-12-17 4468736]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\ahead\InCD\InCD.exe" [2002-05-22 1032192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-07-26 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-07-26 114688]
"SoundMan"="SOUNDMAN.EXE" [2002-08-02 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-01 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-12-13 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\sched.exe"=

.
- - - - ORPHANS REMOVED - - - -

BHO-{2855bc8c-23dc-4e98-b651-7224b8f5dd14} - c:\windows\system32\gakemojo.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
uInternet Connection Wizard,ShellNext = https://shop.antivir-pe.de/en?U2VyaWFsP ... 0yMDA3Ig==
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 12:41:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdfcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-17 12:45:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-17 16:45:15

Pre-Run: 103,935,299,584 bytes free
Post-Run: 103,882,506,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

280

______________________________________________________________
HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:36 PM, on 17/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\lxdfcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://shop.antivir-pe.de/en?U2VyaWFsP ... 0yMDA3Ig==
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"
O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"
O4 - HKLM\..\Run: [Lexmark 6500 Series Fax Server] "C:\Program Files\Lexmark 6500 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TICK INSIDE TIME WAY] C:\Documents and Settings\All Users.WINDOWS\Application Data\2 tray tick inside\List two.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=26688
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\System32\lxdfcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6603 bytes
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: Explorer is redirecting via malware

Unread postby andyspeake » December 17th, 2008, 6:42 pm

Hi,


I'd like you to check (a file/some files) for Viruses.
c:\windows\RtlRack.ini
c:\windows\system32\d3d9caps.dat
c:\windows\system32\lxdfoem.dll

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please



Download Lop S&D by Eric_71 and save it to your desktop.
Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.
To see how to disable security programs visit this tutorial:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
You will need to disable following programs:
(list here)
  • Double-click Lop S&D.exe
  • Choose the language by typing of the corresponding letter and press Enter
  • Click OK at the informative window
  • Type 1, to choose Option 1 (Search) then press Enter
  • Wait until the end of the scan
  • A report will be generated, post the contents of it in your next reply.
(Copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt)


So please post back:
Upload results
Contents of lopR.txt

Thanks
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Explorer is redirecting via malware

Unread postby slewrate » December 17th, 2008, 7:39 pm

VirusTotal results
File RtlRack.ini received on 12.18.2008 00:08:04 (CET)
Please note that right after the PC boots, I look at windows Task Manager and see that IE is launched under no user name
and it keeps the CPU busy like heck. When I kill this process the system is usable. Also, now I don't see anymore RunDLL messages and I can search with Yahoo and the Click back and IE no longer shoots off to weird sites. Thanks for the progress.

So in this case with the following reports, I had killed the initial self launched IE. Should I redo these procedures without killing this IE. I'm not sure if its function is just goes to find the router. Thank again. Where are u? I'm in NB Canada!

__________________________________________
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/38 (0%)

File d3d9caps.dat received on 12.18.2008 00:13:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/38 (0%)

File lxdfoem.dll received on 12.18.2008 00:16:26 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/38 (0%)
__________________________________________

--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : Intel(R) Pentium(R) 4 CPU 2.80GHz )
BIOS : Phoenix - AwardBIOS v6.00PG
USER : snowy ( Administrator )
BOOT : Normal boot
Antivirus : Avira AntiVir PersonalEdition 8.0.1.30 (Not Activated)
Firewall : ZoneAlarm Firewall 7.0.483.000 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:111 Go (Free:97 Go)
D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( 17/12/2008|19:27 )

--------------------\\ Listing folders in APPLIC~1

[03/11/2006|12:13] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[03/11/2006|12:13] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[13/12/2004|01:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[08/03/2007|09:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[15/09/2008|07:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MailFrontier
[13/12/2004|11:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[28/06/2005|01:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[30/11/2008|03:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[30/11/2008|02:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Weather Studio

[08/12/2008|08:05] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> 2 tray tick inside
[01/12/2008|09:34] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> 6500 Series
[30/11/2008|08:47] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Adobe
[01/12/2008|07:17] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Apple
[01/12/2008|07:18] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Apple Computer
[30/11/2008|09:15] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Avira
[30/11/2008|08:57] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Lavasoft
[30/11/2008|08:34] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> MailFrontier
[09/12/2008|05:38] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Messenger Plus!
[15/12/2008|04:39] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Microsoft
[30/11/2008|07:35] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> MSN6
[01/12/2008|07:57] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> ZoomBrowser


[08/12/2006|12:28] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[13/12/2004|01:25] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[30/11/2008|07:08] C:\DOCUME~1\DEFAUL~1.WIN\APPLIC~1\<DIR> Microsoft

[03/12/2008|07:19] C:\DOCUME~1\Guest\APPLIC~1\<DIR> 6500 Series
[03/12/2008|07:20] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Adobe
[03/12/2008|07:19] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Identities
[03/12/2008|07:19] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Microsoft

[30/11/2008|07:15] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[30/11/2008|07:15] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[29/10/2008|06:46] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Adobe
[18/07/2007|11:09] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> AdobeUM
[12/09/2005|05:01] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> DeepBurner
[22/01/2007|03:40] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Help
[13/12/2004|10:12] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Identities
[14/03/2006|11:46] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Leadertech
[30/11/2008|04:00] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> LimeWire
[15/12/2004|06:48] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Macromedia
[15/09/2008|07:33] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Microsoft
[10/10/2008|05:04] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Sun
[13/12/2004|11:03] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Symantec
[13/11/2008|05:10] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> U3
[30/11/2008|02:18] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Weather Studio

[15/12/2008|06:40] C:\DOCUME~1\Ray\APPLIC~1\<DIR> Microsoft

[01/12/2008|09:41] C:\DOCUME~1\snowy\APPLIC~1\<DIR> 6500 Series
[01/12/2008|02:50] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Adobe
[01/12/2008|07:18] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Apple Computer
[30/11/2008|08:51] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Identities
[01/12/2008|06:41] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Macromedia
[16/12/2008|03:58] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Microsoft
[15/12/2008|08:54] C:\DOCUME~1\snowy\APPLIC~1\<DIR> U3

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[17/12/2008 07:01 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[23/08/2001 08:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ MsgPlus SPONSOR INSTALLED !

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsgPlus! Plugin]
"DisplayName"="Messenger Plus! 3 & Sponsor"
"SponsorInstalled"=dword:00000001


--------------------\\ Listing Folders in C:\Program Files

[01/12/2008|09:34] C:\Program Files\<DIR> Abbyy FineReader 6.0 Sprint
[16/12/2008|01:42] C:\Program Files\<DIR> Accessories
[01/12/2008|02:45] C:\Program Files\<DIR> Adobe
[15/12/2008|01:48] C:\Program Files\<DIR> Ahead
[01/12/2008|07:17] C:\Program Files\<DIR> Apple Software Update
[13/12/2004|10:50] C:\Program Files\<DIR> Avance Sound Manager
[30/11/2008|09:15] C:\Program Files\<DIR> Avira
[15/12/2008|08:13] C:\Program Files\<DIR> AvRack
[01/12/2008|08:09] C:\Program Files\<DIR> Canon
[17/12/2008|12:38] C:\Program Files\<DIR> Common Files
[13/12/2004|10:07] C:\Program Files\<DIR> ComPlus Applications
[18/07/2007|11:36] C:\Program Files\<DIR> InstallShield Installation Information
[13/12/2004|10:48] C:\Program Files\<DIR> Intel
[15/12/2008|05:12] C:\Program Files\<DIR> Internet Explorer
[01/12/2008|07:18] C:\Program Files\<DIR> iPod
[01/12/2008|07:18] C:\Program Files\<DIR> iTunes
[07/12/2008|09:32] C:\Program Files\<DIR> Java
[18/07/2007|11:38] C:\Program Files\<DIR> KODAK
[30/11/2008|08:55] C:\Program Files\<DIR> Lavasoft
[01/12/2008|09:41] C:\Program Files\<DIR> Lexmark 6500 Series
[13/12/2004|04:10] C:\Program Files\<DIR> Linksys
[15/12/2008|05:12] C:\Program Files\<DIR> Messenger
[08/12/2008|08:17] C:\Program Files\<DIR> Messenger Plus! Live
[08/12/2008|08:04] C:\Program Files\<DIR> MessengerPlus! 3
[30/11/2008|07:22] C:\Program Files\<DIR> Microsoft ActiveSync
[13/12/2004|10:09] C:\Program Files\<DIR> microsoft frontpage
[30/11/2008|08:06] C:\Program Files\<DIR> Microsoft Office
[30/11/2008|08:06] C:\Program Files\<DIR> Microsoft Visual Studio
[25/01/2008|01:33] C:\Program Files\<DIR> Microsoft Works
[15/12/2008|04:37] C:\Program Files\<DIR> Movie Maker
[30/11/2008|07:36] C:\Program Files\<DIR> MSN
[30/11/2008|07:05] C:\Program Files\<DIR> MSN Gaming Zone
[08/12/2008|08:17] C:\Program Files\<DIR> MSN Messenger
[25/05/2005|07:52] C:\Program Files\<DIR> MSXML 4.0
[15/12/2008|04:33] C:\Program Files\<DIR> NetMeeting
[13/12/2004|01:58] C:\Program Files\<DIR> OfficeUpdate11
[30/11/2008|07:07] C:\Program Files\<DIR> Online Services
[08/12/2008|08:05] C:\Program Files\<DIR> open internet active
[15/12/2008|04:33] C:\Program Files\<DIR> Outlook Express
[15/11/2005|09:03] C:\Program Files\<DIR> Overland
[01/12/2008|07:17] C:\Program Files\<DIR> QuickTime
[16/12/2008|03:58] C:\Program Files\<DIR> Trend Micro
[13/05/2005|07:18] C:\Program Files\<DIR> Uninstall Information
[13/12/2004|11:35] C:\Program Files\<DIR> Windows Journal Viewer
[08/12/2008|08:17] C:\Program Files\<DIR> Windows Live
[15/12/2008|04:37] C:\Program Files\<DIR> Windows Media Player
[15/12/2008|04:33] C:\Program Files\<DIR> Windows NT
[30/11/2008|07:15] C:\Program Files\<DIR> WindowsUpdate
[30/11/2008|08:54] C:\Program Files\<DIR> WinZip
[30/11/2008|07:09] C:\Program Files\<DIR> xerox
[09/03/2005|11:18] C:\Program Files\<DIR> Yahoo!
[15/09/2008|07:10] C:\Program Files\<DIR> Zone Labs
[30/11/2008|08:35] C:\Program Files\<DIR> ZoneAlarmSB

--------------------\\ Listing Folders in C:\Program Files\Common Files

[02/01/2008|04:30] C:\Program Files\Common Files\<DIR> Adaptec Shared
[01/12/2008|02:45] C:\Program Files\Common Files\<DIR> Adobe
[05/04/2007|11:38] C:\Program Files\Common Files\<DIR> Canon
[13/12/2004|10:58] C:\Program Files\Common Files\<DIR> DESIGNER
[13/05/2005|07:13] C:\Program Files\Common Files\<DIR> Hewlett-Packard
[15/12/2008|06:48] C:\Program Files\Common Files\<DIR> InstallShield
[10/10/2008|05:02] C:\Program Files\Common Files\<DIR> Java
[30/11/2008|08:05] C:\Program Files\Common Files\<DIR> L&H
[30/11/2008|08:06] C:\Program Files\Common Files\<DIR> Microsoft Shared
[30/11/2008|07:06] C:\Program Files\Common Files\<DIR> MSSoap
[12/12/2004|05:58] C:\Program Files\Common Files\<DIR> ODBC
[03/11/2006|12:13] C:\Program Files\Common Files\<DIR> Services
[30/11/2008|02:32] C:\Program Files\Common Files\<DIR> SpeechEngines
[30/11/2008|04:00] C:\Program Files\Common Files\<DIR> Symantec Shared
[15/12/2008|04:33] C:\Program Files\Common Files\<DIR> System
[30/11/2008|08:55] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 37 Processes )

iexplore.exe ~ [PID:3684]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\2 tray tick inside
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\2 tray tick inside\List two.exe
C:\DOCUME~1\snowy\Cookies\snowy@advertising[1].txt

--------------------\\ Searching within the Registry

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TICK INSIDE TIME WAY"="C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\2 tray tick inside\\List two.exe"

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 19:27:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0




--------------------\\ Searching for other infections

No other infections found !

[F:2][D:0]-> C:\DOCUME~1\snowy\LOCALS~1\Temp
[F:85][D:0]-> C:\DOCUME~1\snowy\Cookies
[F:997][D:4]-> C:\DOCUME~1\snowy\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 17/12/2008|19:28 - Option : [1]

--------------------\\ Scan completed at 19:28:25
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: Explorer is redirecting via malware

Unread postby andyspeake » December 19th, 2008, 5:09 pm

  • Choose the language by typing of the corresponding letter and press Enter
  • Click OK at the informative window
  • Type 3 to choose Option 3 (Fix - Hosts), then press Enter
  • Don't close the window during suppression!
  • Wait until the end of the scan
  • A report will be generated, post the contents of it in your next reply.
(Copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt)
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Explorer is redirecting via malware

Unread postby slewrate » December 20th, 2008, 11:47 am

Thanks once more. I'm impress with the progress and I'm learning stuff too!


--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : Intel(R) Pentium(R) 4 CPU 2.80GHz )
BIOS : Phoenix - AwardBIOS v6.00PG
USER : snowy ( Administrator )
BOOT : Normal boot
Antivirus : Avira AntiVir PersonalEdition 8.0.1.30 (Not Activated)
Firewall : ZoneAlarm Firewall 7.0.483.000 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:111 Go (Free:96 Go)
D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [3] ( 20/12/2008|11:41 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX

Deleted! - C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\2 tray tick inside\List two.exe
Deleted! - C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\2 tray tick inside

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in APPLIC~1

[03/11/2006|12:13] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[03/11/2006|12:13] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[13/12/2004|01:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[08/03/2007|09:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[15/09/2008|07:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MailFrontier
[13/12/2004|11:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[28/06/2005|01:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[30/11/2008|03:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[30/11/2008|02:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Weather Studio

[01/12/2008|09:34] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> 6500 Series
[30/11/2008|08:47] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Adobe
[01/12/2008|07:17] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Apple
[01/12/2008|07:18] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Apple Computer
[30/11/2008|09:15] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Avira
[30/11/2008|08:57] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Lavasoft
[30/11/2008|08:34] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> MailFrontier
[09/12/2008|05:38] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Messenger Plus!
[15/12/2008|04:39] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Microsoft
[30/11/2008|07:35] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> MSN6
[01/12/2008|07:57] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> ZoomBrowser


[08/12/2006|12:28] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[13/12/2004|01:25] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[30/11/2008|07:08] C:\DOCUME~1\DEFAUL~1.WIN\APPLIC~1\<DIR> Microsoft

[03/12/2008|07:19] C:\DOCUME~1\Guest\APPLIC~1\<DIR> 6500 Series
[03/12/2008|07:20] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Adobe
[03/12/2008|07:19] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Identities
[03/12/2008|07:19] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Microsoft

[30/11/2008|07:15] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[30/11/2008|07:15] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[29/10/2008|06:46] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Adobe
[18/07/2007|11:09] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> AdobeUM
[12/09/2005|05:01] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> DeepBurner
[22/01/2007|03:40] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Help
[13/12/2004|10:12] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Identities
[14/03/2006|11:46] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Leadertech
[30/11/2008|04:00] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> LimeWire
[15/12/2004|06:48] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Macromedia
[15/09/2008|07:33] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Microsoft
[10/10/2008|05:04] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Sun
[13/12/2004|11:03] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Symantec
[13/11/2008|05:10] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> U3
[30/11/2008|02:18] C:\DOCUME~1\PE342~1.BLA\APPLIC~1\<DIR> Weather Studio

[15/12/2008|06:40] C:\DOCUME~1\Ray\APPLIC~1\<DIR> Microsoft

[01/12/2008|09:41] C:\DOCUME~1\snowy\APPLIC~1\<DIR> 6500 Series
[01/12/2008|02:50] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Adobe
[01/12/2008|07:18] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Apple Computer
[30/11/2008|08:51] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Identities
[01/12/2008|06:41] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Macromedia
[16/12/2008|03:58] C:\DOCUME~1\snowy\APPLIC~1\<DIR> Microsoft
[15/12/2008|08:54] C:\DOCUME~1\snowy\APPLIC~1\<DIR> U3

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[20/12/2008 08:56 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[23/08/2001 08:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[01/12/2008|09:34] C:\Program Files\<DIR> Abbyy FineReader 6.0 Sprint
[16/12/2008|01:42] C:\Program Files\<DIR> Accessories
[01/12/2008|02:45] C:\Program Files\<DIR> Adobe
[15/12/2008|01:48] C:\Program Files\<DIR> Ahead
[01/12/2008|07:17] C:\Program Files\<DIR> Apple Software Update
[13/12/2004|10:50] C:\Program Files\<DIR> Avance Sound Manager
[30/11/2008|09:15] C:\Program Files\<DIR> Avira
[15/12/2008|08:13] C:\Program Files\<DIR> AvRack
[01/12/2008|08:09] C:\Program Files\<DIR> Canon
[17/12/2008|12:38] C:\Program Files\<DIR> Common Files
[13/12/2004|10:07] C:\Program Files\<DIR> ComPlus Applications
[18/07/2007|11:36] C:\Program Files\<DIR> InstallShield Installation Information
[13/12/2004|10:48] C:\Program Files\<DIR> Intel
[15/12/2008|05:12] C:\Program Files\<DIR> Internet Explorer
[01/12/2008|07:18] C:\Program Files\<DIR> iPod
[01/12/2008|07:18] C:\Program Files\<DIR> iTunes
[07/12/2008|09:32] C:\Program Files\<DIR> Java
[18/07/2007|11:38] C:\Program Files\<DIR> KODAK
[30/11/2008|08:55] C:\Program Files\<DIR> Lavasoft
[01/12/2008|09:41] C:\Program Files\<DIR> Lexmark 6500 Series
[13/12/2004|04:10] C:\Program Files\<DIR> Linksys
[15/12/2008|05:12] C:\Program Files\<DIR> Messenger
[08/12/2008|08:17] C:\Program Files\<DIR> Messenger Plus! Live
[08/12/2008|08:04] C:\Program Files\<DIR> MessengerPlus! 3
[30/11/2008|07:22] C:\Program Files\<DIR> Microsoft ActiveSync
[13/12/2004|10:09] C:\Program Files\<DIR> microsoft frontpage
[30/11/2008|08:06] C:\Program Files\<DIR> Microsoft Office
[30/11/2008|08:06] C:\Program Files\<DIR> Microsoft Visual Studio
[25/01/2008|01:33] C:\Program Files\<DIR> Microsoft Works
[15/12/2008|04:37] C:\Program Files\<DIR> Movie Maker
[30/11/2008|07:36] C:\Program Files\<DIR> MSN
[30/11/2008|07:05] C:\Program Files\<DIR> MSN Gaming Zone
[18/12/2008|05:31] C:\Program Files\<DIR> MSN Messenger
[25/05/2005|07:52] C:\Program Files\<DIR> MSXML 4.0
[15/12/2008|04:33] C:\Program Files\<DIR> NetMeeting
[13/12/2004|01:58] C:\Program Files\<DIR> OfficeUpdate11
[30/11/2008|07:07] C:\Program Files\<DIR> Online Services
[08/12/2008|08:05] C:\Program Files\<DIR> open internet active
[19/12/2008|08:20] C:\Program Files\<DIR> Outlook Express
[15/11/2005|09:03] C:\Program Files\<DIR> Overland
[01/12/2008|07:17] C:\Program Files\<DIR> QuickTime
[16/12/2008|03:58] C:\Program Files\<DIR> Trend Micro
[13/05/2005|07:18] C:\Program Files\<DIR> Uninstall Information
[13/12/2004|11:35] C:\Program Files\<DIR> Windows Journal Viewer
[08/12/2008|08:17] C:\Program Files\<DIR> Windows Live
[15/12/2008|04:37] C:\Program Files\<DIR> Windows Media Player
[15/12/2008|04:33] C:\Program Files\<DIR> Windows NT
[30/11/2008|07:15] C:\Program Files\<DIR> WindowsUpdate
[30/11/2008|08:54] C:\Program Files\<DIR> WinZip
[30/11/2008|07:09] C:\Program Files\<DIR> xerox
[09/03/2005|11:18] C:\Program Files\<DIR> Yahoo!
[15/09/2008|07:10] C:\Program Files\<DIR> Zone Labs
[30/11/2008|08:35] C:\Program Files\<DIR> ZoneAlarmSB

--------------------\\ Listing Folders in C:\Program Files\Common Files

[02/01/2008|04:30] C:\Program Files\Common Files\<DIR> Adaptec Shared
[01/12/2008|02:45] C:\Program Files\Common Files\<DIR> Adobe
[05/04/2007|11:38] C:\Program Files\Common Files\<DIR> Canon
[13/12/2004|10:58] C:\Program Files\Common Files\<DIR> DESIGNER
[13/05/2005|07:13] C:\Program Files\Common Files\<DIR> Hewlett-Packard
[15/12/2008|06:48] C:\Program Files\Common Files\<DIR> InstallShield
[10/10/2008|05:02] C:\Program Files\Common Files\<DIR> Java
[30/11/2008|08:05] C:\Program Files\Common Files\<DIR> L&H
[30/11/2008|08:06] C:\Program Files\Common Files\<DIR> Microsoft Shared
[30/11/2008|07:06] C:\Program Files\Common Files\<DIR> MSSoap
[12/12/2004|05:58] C:\Program Files\Common Files\<DIR> ODBC
[03/11/2006|12:13] C:\Program Files\Common Files\<DIR> Services
[30/11/2008|02:32] C:\Program Files\Common Files\<DIR> SpeechEngines
[30/11/2008|04:00] C:\Program Files\Common Files\<DIR> Symantec Shared
[15/12/2008|04:33] C:\Program Files\Common Files\<DIR> System
[30/11/2008|08:55] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 34 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 11:42:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections


No other infections found !

[F:4][D:0]-> C:\DOCUME~1\snowy\LOCALS~1\Temp
[F:100][D:0]-> C:\DOCUME~1\snowy\Cookies
[F:2093][D:4]-> C:\DOCUME~1\snowy\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 17/12/2008|19:28 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - 20/12/2008|11:37 - Option : [1]
3 - "C:\Lop SD\LopR_3.txt" - 20/12/2008|11:43 - Option : [3]

--------------------\\ Scan completed at 11:43:10
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: Explorer is redirecting via malware

Unread postby andyspeake » December 21st, 2008, 8:14 am

Could you please post back a fresh HJT log ?

Thanks.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Explorer is redirecting via malware

Unread postby slewrate » December 21st, 2008, 12:35 pm

There you go, thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:56 PM, on 21/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\lxdfcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://shop.antivir-pe.de/en?U2VyaWFsP ... 0yMDA3Ig==
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"
O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"
O4 - HKLM\..\Run: [Lexmark 6500 Series Fax Server] "C:\Program Files\Lexmark 6500 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=26688
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\System32\lxdfcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6518 bytes
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: Explorer is redirecting via malware

Unread postby andyspeake » December 21st, 2008, 1:46 pm

Hi,

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File:: 
    c:\windows\002521_.tmp
    c:\windows\000001_.tmp
    
    DirLook::
    C:\logs
    C:\arch
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


So please bost back MBAM log and Combofix results, and a fresh HJT log.

Thanks.
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Explorer is redirecting via malware

Unread postby slewrate » December 21st, 2008, 4:44 pm

Yo! more!
Mbam-Log
Malwarebytes' Anti-Malware 1.31
Database version: 1528
Windows 5.1.2600 Service Pack 2

21/12/2008 4:05:47 PM
mbam-log-2008-12-21 (16-05-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 141304
Time elapsed: 1 hour(s), 34 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\bizituwu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gakemojo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gobijadi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hohebalo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lotoyeyo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mulivusi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\podobira.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pufuniso.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\senazisa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vapuhonu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\worapupi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yebizopo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yizofuyu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ziperame.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP23\A0004845.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP32\A0013638.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP32\A0013639.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP32\A0013640.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020351.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020354.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020356.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020360.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020361.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020367.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020368.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020370.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020376.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020377.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020380.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020381.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020383.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8365296F-9634-4BCE-A455-6F999720D6B3}\RP33\A0020355.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\derasafe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\duyagawe.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kosuyapu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

__________________________________________________________________________
ComboFix
ComboFix 08-12-16.03 - snowy 2008-12-21 16:34:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.253 [GMT -4:00]
Running from: c:\win\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\snowy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\000001_.tmp
c:\windows\002521_.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\000001_.tmp
c:\windows\002521_.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 14:27 . 2008-12-21 14:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-21 14:27 . 2008-12-21 14:27 <DIR> d-------- c:\documents and settings\snowy\Application Data\Malwarebytes
2008-12-21 14:27 . 2008-12-21 14:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-21 14:27 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 14:27 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 13:12 . 2008-12-20 13:12 <DIR> d-------- c:\documents and settings\snowy\Application Data\AdobeUM
2008-12-17 19:25 . 2008-12-20 11:43 <DIR> d-------- C:\Lop SD
2008-12-17 13:22 . 2008-12-17 13:22 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-16 15:58 . 2008-12-16 15:58 <DIR> d-------- c:\program files\Trend Micro
2008-12-16 00:20 . 2008-12-16 00:20 772,652 --a------ c:\documents and settings\All Users.aawqff
2008-12-15 21:31 . 2008-12-15 21:31 147 --a------ c:\windows\RtlRack.ini
2008-12-15 21:29 . 2002-07-26 08:43 151,552 --a------ c:\windows\system32\igfxres.dll
2008-12-15 20:13 . 2002-04-23 11:12 208,896 --------- c:\windows\alcupd.exe
2008-12-15 20:13 . 2001-07-06 00:19 164 --------- c:\windows\avrack.ini
2008-12-15 20:03 . 2008-12-15 20:54 <DIR> d-------- c:\documents and settings\snowy\Application Data\U3
2008-12-15 16:39 . 2008-12-15 17:13 316,640 --a------ c:\windows\WMSysPr9.prx
2008-12-15 16:39 . 2004-08-04 00:56 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-15 16:38 . 2004-08-04 00:56 239,616 --------- c:\windows\system32\wstrenderer.ax
2008-12-15 16:38 . 2004-08-04 00:56 164,352 --------- c:\windows\system32\wstpager.ax
2008-12-15 16:38 . 2004-08-04 00:56 96,768 -----c--- c:\windows\system32\dllcache\dpcdll.dll
2008-12-15 16:38 . 2004-08-04 00:56 53,248 --------- c:\windows\system32\vbicodec.ax
2008-12-15 16:38 . 2004-08-03 22:59 9,728 --------- c:\windows\system32\comsdupd.exe
2008-12-15 16:31 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2008-12-15 16:30 . 2004-08-03 22:42 15,872 --a------ c:\windows\system32\spupdsvc.exe
2008-12-15 16:03 . 2004-08-04 00:56 96,768 --a------ c:\windows\system32\dpcdll.dll
2008-12-15 15:59 . 2004-08-04 00:56 2,940,928 --a------ c:\windows\system32\wmploc.dll
2008-12-15 13:46 . 2002-05-07 14:34 716,800 --------- c:\windows\NuNInst.exe
2008-12-15 13:46 . 2002-05-22 03:02 336,768 --------- c:\windows\system32\drivers\bsudf.sys
2008-12-15 13:46 . 2002-03-11 09:57 74,640 --------- c:\windows\NuNInst.cfg
2008-12-15 13:46 . 2002-05-01 12:05 9,088 --------- c:\windows\system32\drivers\bsstor.sys
2008-12-09 17:38 . 2008-12-09 17:38 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Messenger Plus!
2008-12-08 20:17 . 2008-12-08 20:17 <DIR> d-------- c:\program files\Windows Live
2008-12-08 20:17 . 2008-12-08 20:17 <DIR> d-------- c:\program files\Messenger Plus! Live
2008-12-08 20:05 . 2008-12-08 20:05 <DIR> d-------- c:\program files\open internet active
2008-12-08 20:03 . 2008-12-08 20:04 <DIR> d-------- c:\program files\MessengerPlus! 3
2008-12-08 19:52 . 2008-12-21 12:27 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-08 19:52 . 2008-12-08 19:52 1,409 --a------ c:\windows\QTFont.for
2008-12-07 21:33 . 2008-12-14 20:18 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-07 21:32 . 2008-12-07 21:32 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-07 21:32 . 2008-12-07 21:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-03 07:19 . 2008-12-03 07:19 <DIR> d-------- c:\documents and settings\Guest\Application Data\6500 Series
2008-12-03 07:19 . 2008-12-03 07:19 <DIR> d-------- c:\documents and settings\Guest
2008-12-01 19:40 . 2004-08-03 23:07 171,776 --a------ c:\windows\system32\drivers\kmixer.sys
2008-12-01 19:40 . 2004-08-03 22:39 142,464 --a------ c:\windows\system32\drivers\aec.sys
2008-12-01 19:40 . 2004-08-03 23:15 82,944 --a------ c:\windows\system32\drivers\wdmaud.sys
2008-12-01 19:40 . 2004-08-03 23:15 60,800 --a------ c:\windows\system32\drivers\sysaudio.sys
2008-12-01 19:40 . 2001-08-17 14:00 54,272 --a------ c:\windows\system32\drivers\swmidi.sys
2008-12-01 19:40 . 2001-08-17 14:00 54,272 --a--c--- c:\windows\system32\dllcache\swmidi.sys
2008-12-01 19:40 . 2004-08-03 23:07 52,864 --a------ c:\windows\system32\drivers\dmusic.sys
2008-12-01 19:40 . 2004-08-03 23:07 6,400 --a------ c:\windows\system32\drivers\splitter.sys
2008-12-01 19:40 . 2004-08-03 23:07 2,944 --a------ c:\windows\system32\drivers\drmkaud.sys
2008-12-01 19:39 . 2002-08-02 18:10 659,228 --a------ c:\windows\system32\drivers\ALCXWDM.SYS
2008-12-01 19:39 . 2004-08-04 00:56 192,000 --a------ c:\windows\system32\iuengine.dll
2008-12-01 19:39 . 2004-08-03 23:15 145,792 --a------ c:\windows\system32\drivers\portcls.sys
2008-12-01 19:39 . 2004-08-03 23:15 145,792 --a--c--- c:\windows\system32\dllcache\portcls.sys
2008-12-01 19:39 . 2004-08-03 23:08 60,288 --a------ c:\windows\system32\drivers\drmk.sys
2008-12-01 19:39 . 2004-08-03 23:08 60,288 --a--c--- c:\windows\system32\dllcache\drmk.sys
2008-12-01 19:39 . 2004-08-04 00:56 23,552 --a------ c:\windows\system32\wdmaud.drv
2008-12-01 14:39 . 2008-12-01 14:39 <DIR> d-------- c:\documents and settings\snowy\WINDOWS
2008-12-01 14:39 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-01 09:41 . 2008-12-01 09:41 <DIR> d-------- c:\documents and settings\snowy\Application Data\6500 Series
2008-12-01 09:40 . 2008-12-01 09:41 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Lx_cats
2008-12-01 09:36 . 2008-12-01 09:36 <DIR> d-------- C:\logs
2008-12-01 09:36 . 2007-05-03 15:50 348,160 --a------ c:\windows\system32\lxdfcoin.dll
2008-12-01 09:36 . 2006-08-01 01:53 40,960 --a------ c:\windows\system32\lxdfvs.dll
2008-12-01 09:35 . 2007-05-24 16:24 692,224 --a------ c:\windows\system32\lxdfdrs.dll
2008-12-01 09:35 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2008-12-01 09:35 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2008-12-01 09:35 . 2007-04-17 10:17 69,632 --a------ c:\windows\system32\lxdfcnv4.dll
2008-12-01 09:35 . 2007-05-22 10:09 65,536 --a------ c:\windows\system32\lxdfcaps.dll
2008-12-01 09:35 . 2007-05-24 07:41 45,056 --a------ c:\windows\system32\LXDFPMON.DLL
2008-12-01 09:35 . 2007-05-24 07:41 32,768 --a------ c:\windows\system32\LXDFFXPU.DLL
2008-12-01 09:34 . 2008-12-01 09:34 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint
2008-12-01 09:34 . 2008-12-01 09:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\6500 Series
2008-12-01 09:34 . 2006-06-02 17:12 339,968 --a------ c:\windows\system32\IMGMAN32.DLL
2008-12-01 09:34 . 2006-06-02 17:12 98,345 --a------ c:\windows\system32\IMHOST32.DLL
2008-12-01 09:34 . 2006-06-02 17:12 98,304 --a------ c:\windows\system32\IM31XPNG.DEL
2008-12-01 09:34 . 2007-04-09 10:59 69,632 --a------ c:\windows\system32\lxdfoem.dll
2008-12-01 09:34 . 2006-06-02 17:12 69,632 --a------ c:\windows\system32\IM31XTIF.DEL
2008-12-01 09:34 . 2006-06-02 17:12 49,152 --a------ c:\windows\system32\IM31IMG.DIL
2008-12-01 09:32 . 2008-12-01 09:41 <DIR> d-------- c:\program files\Lexmark 6500 Series
2008-12-01 08:23 . 1993-03-22 03:55 103,968 --a------ c:\windows\TYPECASE.EXE
2008-12-01 08:23 . 1993-03-24 05:23 55,789 --a------ c:\windows\TYPECASE.HLP
2008-12-01 08:23 . 2008-12-01 08:24 46,482 --a------ c:\windows\typecase.ini
2008-12-01 08:23 . 2008-12-01 08:23 37 --a------ c:\windows\progman.ini
2008-12-01 07:57 . 2008-12-01 07:57 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\ZoomBrowser
2008-12-01 07:54 . 2001-08-17 22:36 146,944 --a------ c:\windows\system32\ptpusd.dll
2008-12-01 07:54 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-01 07:54 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-01 07:18 . 2008-12-01 07:18 <DIR> d-------- c:\program files\iTunes
2008-12-01 07:18 . 2008-12-01 07:18 <DIR> d-------- c:\program files\iPod
2008-12-01 07:18 . 2008-12-01 07:18 <DIR> d-------- c:\documents and settings\snowy\Application Data\Apple Computer
2008-12-01 07:17 . 2008-12-01 07:17 <DIR> d-------- c:\program files\Apple Software Update
2008-12-01 07:17 . 2008-12-01 07:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-12-01 07:17 . 2008-12-01 07:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2008-12-01 06:45 . 2008-12-01 06:45 <DIR> d---s---- c:\documents and settings\snowy\UserData
2008-11-30 21:15 . 2008-11-30 21:15 <DIR> d-------- c:\program files\Avira
2008-11-30 21:15 . 2008-11-30 21:15 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2008-11-30 20:55 . 2008-11-30 20:55 <DIR> d---s---- c:\windows\system32\Microsoft
2008-11-30 20:55 . 2008-11-30 20:55 <DIR> d-------- c:\program files\Lavasoft
2008-11-30 20:55 . 2008-11-30 20:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-30 20:55 . 2008-11-30 20:57 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2008-11-30 20:51 . 2008-12-17 13:14 <DIR> d-------- c:\documents and settings\snowy
2008-11-30 20:48 . 2008-11-30 20:49 <DIR> d--h----- c:\windows\msdownld.tmp
2008-11-30 20:46 . 2008-11-30 20:46 <DIR> d-------- c:\windows\Cache
2008-11-30 20:35 . 2008-11-30 20:35 <DIR> d-------- c:\program files\ZoneAlarmSB
2008-11-30 20:34 . 2008-11-30 20:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\MailFrontier
2008-11-30 20:33 . 2008-12-21 12:44 <DIR> d-------- c:\windows\Internet Logs
2008-11-30 20:05 . 2008-11-30 20:05 <DIR> d-------- c:\program files\Common Files\L&H

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 21:31 --------- d-----w c:\program files\MSN Messenger
2008-12-17 16:41 982,248 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-17 16:23 183,808 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-12-17 16:23 1,530,880 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-12-17 16:21 1,530,880 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-12-16 05:42 --------- d-----w c:\program files\Accessories
2008-12-16 00:13 --------- d-----w c:\program files\AvRack
2008-12-15 22:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-15 22:16 234,496 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-12-15 22:16 1,471,488 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-12-15 17:48 --------- d-----w c:\program files\Ahead
2008-12-10 22:39 639,488 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-12-10 22:39 1,447,936 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-12-09 00:44 1,454,592 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-12-09 00:06 1,460,224 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-12-08 01:32 --------- d-----w c:\program files\Java
2008-12-01 18:45 --------- d-----w c:\program files\Common Files\Adobe
2008-12-01 12:09 --------- d-----w c:\program files\Canon
2008-12-01 11:17 --------- d-----w c:\program files\QuickTime
2008-11-30 23:35 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\MSN6
2008-11-30 23:22 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-30 20:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-30 18:18 --------- d-----w c:\documents and settings\P. Blanchard\Application Data\Weather Studio
2008-11-13 21:10 --------- d-----w c:\documents and settings\P. Blanchard\Application Data\U3
2005-10-12 17:54 20,798,256 ----a-w c:\program files\AdbeRdr70_enu_full.exe
2005-10-12 17:52 6,811,904 ----a-w c:\program files\psa2011se_us.exe
2005-10-12 17:51 494,704 ----a-w c:\program files\ytb02_efgsip.exe
2004-12-13 14:08 271 --sh--w c:\program files\desktop.ini
2004-12-13 14:08 21,952 ---ha-w c:\program files\folder.htt
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\arch ----

c:\arch\

---- Directory of C:\logs ----



((((((((((((((((((((((((((((( snapshot@2008-12-17_12.43.45.91 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-30 23:48:38 29,926 ----a-r c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2008-12-18 21:31:29 29,926 ----a-r c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
- 2008-12-17 16:12:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-19 14:40:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-17 16:12:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-19 14:40:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-17 16:12:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-19 14:40:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-04 04:56:58 46,080 -c--a-w c:\windows\system32\dllcache\wab.exe
+ 2008-12-21 14:13:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-11-14 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"lxdfmon.exe"="c:\program files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\ahead\InCD\InCD.exe" [2002-05-22 1032192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-07-26 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-07-26 114688]
"SoundMan"="SOUNDMAN.EXE" [2002-08-02 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-01 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-12-13 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\sched.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\DRIVERS\bsstor.sys [2008-12-15 9088]
R1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2008-11-30 45376]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\BsUDF.sys [2008-12-15 336768]
R2 lxdf_device;lxdf_device;c:\windows\System32\lxdfcoms.exe -service []
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2008-12-01 99248]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
uInternet Connection Wizard,ShellNext = https://shop.antivir-pe.de/en?U2VyaWFsP ... 0yMDA3Ig==
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 16:36:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2008-12-21 16:37:19
ComboFix-quarantined-files.txt 2008-12-21 20:37:14
ComboFix2.txt 2008-12-17 16:45:19

Pre-Run: 103,867,543,552 bytes free
Post-Run: 103,959,248,896 bytes free

253
____________________________________________________________________________________________
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:00 PM, on 21/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\lxdfcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://shop.antivir-pe.de/en?U2VyaWFsP ... 0yMDA3Ig==
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"
O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"
O4 - HKLM\..\Run: [Lexmark 6500 Series Fax Server] "C:\Program Files\Lexmark 6500 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=26688
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\System32\lxdfcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6510 bytes
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: Explorer is redirecting via malware

Unread postby andyspeake » December 22nd, 2008, 9:41 am

Hi,

Hows your computer running?

I recommend you unisntall ZoneAlarm spyblocker as it has been installed with the ask toolbar bar which can present you with security vulnerabilitys. You can do this via Add/Remove Programmes in the control panel.

Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6u11.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Post back a fresh HJT log and the info i asked.

Thanks :)
User avatar
andyspeake
Regular Member
 
Posts: 1914
Joined: June 8th, 2007, 9:29 pm
Location: Glasgow, Scotland

Re: Explorer is redirecting via malware

Unread postby slewrate » December 23rd, 2008, 8:59 am

Computer running super fast, thanks again, Merry Christmas

Unisntall ZoneAlarm spyblocker!
all older Java JRE removed
JRE ver 6.11 installed
HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:53 AM, on 23/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\lxdfcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://shop.antivir-pe.de/en?U2VyaWFsP ... 0yMDA3Ig==
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"
O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"
O4 - HKLM\..\Run: [Lexmark 6500 Series Fax Server] "C:\Program Files\Lexmark 6500 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\System32\lxdfcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6212 bytes
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 71 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware