Free Malware Removal Forum

by **bitey** » April 24th, 2009, 6:24 am

I have recently realised that my computer is likely infected with some kind of redirecting virus- when I'm googling something and click on one of the search results, the url of the intended website will appear for a bit but then it redirects to another page, sometimes loosely related but mostly not. This doesn't always happen- sometimes the real page shows and stays and bookmarks seem unaffected but several attempts at installing and running various anti-virus/ malware programs (ad aware, avira, malwarebytes, spybot) have done nothing to resolve this problem. I've also noticed that I seem to be unable to update these software- both malwarebytes and avira were unable to update. In addition my internet browser (firefox) and microsoft outlook occasionally crashes without explanation (although I get a message offering to report the error)

Could anyone guide me through the best way of dealing with this (I'm a bit of a nooby)- here is a current hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:36, on 24/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&c ... bd=0061103
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xpango.com/fe/htm/login/login.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/defau ... l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&c ... bd=0061103
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NBKeyScan] "F:\Nero\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8248 bytes

I thought I had managed to get rid of this a few weeks ago when I downloaded the latest version of malwarebytes (the virus seems to be blocking legitimate progrrams from updating) but it seems to have returned, here is the malwarebytes log with the trojan that it identified a few weeks ago:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

07/04/2009 12:48:33
mbam-log-2009-04-07 (12-48-33).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 210048
Time elapsed: 1 hour(s), 22 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\fxpbtlm.ynk (Trojan.Daonol) -> Quarantined and deleted successfully.

hope you can help, Bitey

by **Wi[k]!** » April 25th, 2009, 9:07 am

Hello and welcome to the forums :hello2:

Start HijackThis.
Click Open the Misc Tools section
Click Open Uninstall Manager
Click Save list...
Save the list to your desktop, or any other convenient place.

Post that in your next reply.

by **bitey** » April 26th, 2009, 4:11 am

thanks for the quick response, as requested, here is the list of applications:

ABBYY FineReader 6.0 Sprint
ABC (remove only)
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player
Apple Mobile Device Support
Avira AntiVir Personal - Free Antivirus
Barbarian Invasion
Bonjour
Camera RAW Plug-In for EPSON Creativity Suite
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Command & Conquer Red Alert 2
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Dawn of War - Soulstorm
Dell ResourceCD
DivX
DivX Content Uploader
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Empire: Total War Demo
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Stylus SX200_SX400_TX200_TX400 Manual
EPSON Stylus SX400 Series Printer Uninstall
EPSON Web-To-Page
ESPR200 Reference Guide
ESPR200 Software Guide
Guild Wars
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
iTunes
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 11
Java(TM) 6 Update 5
Malwarebytes' Anti-Malware
MCU
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.9)
MRIcroN (remove only)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
neroxml
NVIDIA Drivers
OpenMG Limited Patch 4.0-04-11-01-01
OpenMG Secure Module 4.0.05
Oront Burning Kit 2 Premium
Oront Burning Kit 2 Premium
Oront Burning Kit 2 Premium v2.5.5
Penny Arcade Adventures: On the Rain-Slick Precipice of Darkness, Episode One Demo
Penny Arcade Adventures: On the Rain-Slick Precipice of Darkness, Episode Two Demo
PIF DESIGNER2.1
QuickTime
Rome - Total War - Alexander
Rome - Total War(TM)
SearchAssist
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Steam
The Battle for Middle-earth (tm) II
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
VCRedistSetup
VideoLAN VLC media player 0.8.6
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Wallace and Gromit Demo
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Rights Management Client Backwards Compatibility SP2
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver

Bitey

by **Wi[k]!** » April 26th, 2009, 3:49 pm

Before anything else, notify the people at techsupportguy that you no longer need help as you are being helped here.

Download DDS by sUBs from one of the following links. Save it to your desktop.

DDS.scr

DDS.com

DDS.Pif

Double click on the DDS icon.
A DOS window will be displayed while the scan is running.
Notepad will open with the results.
Post both of the logs in your next reply
--------------------------------------------------

Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it reginfo.bat > file types *all files*> and save it to desktop.

Code: Select all

regedit /e /a reginfo.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32"
start reginfo.txt

Double-click reginfo.bat to run it.
Post back with the text that will open in notepad.

by **bitey** » April 29th, 2009, 10:09 am

Hi there, thanks for the response, unfortunately I can't get any of those linked programs to work: when i click to run after downloading it, a DOS screen flashes up for an instant then disappears and nothing happens, no logs and task manager doesn't show anything as running....

by **Wi[k]!** » April 30th, 2009, 2:07 pm

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. In your case this includes: Avira.
--------------------------------------------------

After running combofix you should be able to update malwarebytes. If so, after the updating has finished do a quick scan and post that log in your next reply as well.
--------------------------------------------------

Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it reginfo.bat > file types *all files*> and save it to desktop.

Code: Select all

regedit /e /a reginfo.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32"
start reginfo.txt

Double-click reginfo.bat to run it.
Post back with the text that will open in notepad.
--------------------------------------------------

So in your next reply:

combofix.txt
Malwarebytes log
reginfo.bat results

by **bitey** » May 1st, 2009, 7:41 am

Ok then here is the combofix log (I had a bit of trouble with this at first as it was insisting I had a mcafee antivirus running- something that I'm sure I;ve never installed- I found a few mcafee related files( no actual program files though ) on my computer and deleted them but it combo fix still claimed that it was running? I pushed on regardless in the end and it did seem to scan successfully.)

ComboFix 09-04-30.05 - Ralph 01/05/2009 12:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT 1:00]
Running from: c:\documents and settings\Ralph\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-28 08:23 . 2009-04-28 08:23 -------- d--h--w c:\windows\PIF
2009-04-22 12:24 . 2009-04-22 12:24 -------- d-----w c:\program files\Trend Micro
2009-04-16 15:08 . 2009-04-16 15:08 -------- d-----w c:\program files\MSECache
2009-04-15 09:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:51 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 09:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 09:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:50 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 12:34 . 2009-04-14 12:34 -------- d-----w c:\documents and settings\Ralph\Local Settings\Application Data\HotheadGames
2009-04-14 10:31 . 2009-04-18 18:53 -------- d-----w c:\documents and settings\Giles\Local Settings\Application Data\HotheadGames
2009-04-04 10:30 . 2009-04-04 10:30 -------- d-----w c:\documents and settings\Ralph\Application Data\Malwarebytes
2009-04-04 10:30 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 10:30 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 10:30 . 2009-04-04 10:30 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 10:30 . 2009-04-07 10:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-04 06:04 . 2009-02-13 10:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-04 06:04 . 2009-04-04 06:04 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-04 06:04 . 2009-04-04 06:04 -------- d-----w c:\program files\Avira
2009-04-03 10:08 . 2009-04-08 18:25 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 10:45 . 2006-12-09 09:11 48872 ----a-w c:\documents and settings\Ralph\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 16:05 . 2006-12-06 19:51 46736 ----a-w c:\documents and settings\Giles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 07:58 . 2007-11-10 09:37 -------- d-----w c:\program files\DAEMON Tools
2009-04-03 07:59 . 2006-11-03 12:46 -------- d-----w c:\program files\Google
2009-03-21 08:30 . 2009-03-21 08:30 -------- d-----w c:\program files\AVG
2009-03-19 10:41 . 2009-03-19 10:41 -------- d-----w c:\program files\iTunes
2009-03-19 10:41 . 2009-03-19 10:41 -------- d-----w c:\program files\iPod
2009-03-19 10:41 . 2008-09-10 09:46 -------- d-----w c:\program files\Common Files\Apple
2009-03-19 10:40 . 2009-03-19 10:40 -------- d-----w c:\program files\Bonjour
2009-03-19 10:39 . 2006-11-03 12:41 -------- d-----w c:\program files\QuickTime
2009-03-16 10:29 . 2009-03-16 10:29 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-06 14:22 . 2005-08-16 04:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2005-08-16 04:18 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2005-08-16 04:18 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 04:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 04:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 04:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 04:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 04:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 04:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 04:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 04:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 04:18 56832 ----a-w c:\windows\system32\secur32.dll
2007-02-11 20:56 . 2006-12-04 19:06 168 --sh--r c:\windows\system32\C107711460.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-25 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Documents and Settings\\Ralph\\My Documents\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\Soulstorm.exe"=
"f:\\Program Files\\Westwood\\game.exe"=
"f:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\Program Files\\Steam\\steamapps\\common\\on the rain-slick precipice of darkness - episode one\\RainSlickEp1.exe"=
"f:\\Program Files\\Steam\\steamapps\\common\\empire total war demo\\Empire.exe"=
"f:\\Program Files\\Steam\\steamapps\\common\\penny arcade adventures on the rain-slick precipice of darkness episode 2\\RainSlickEp2.exe"=

R3 pepscsi;pepscsi;c:\windows\system32\DRIVERS\pepscsi.sys [2007-11-20 101192]
S0 PEP_HKA;PEP_HKA;c:\windows\system32\Drivers\PEP_HKA.SYS [2007-11-12 15040]
S0 pepbus;pepbus;c:\windows\system32\DRIVERS\pepbus.sys [2007-11-20 16624]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xpango.com/fe/htm/login/login.asp
mStart Page = hxxp://www1.euro.dell.com/content/defau ... l=en&s=gen
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Ralph\Application Data\Mozilla\Firefox\Profiles\s2rxt36j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://uk.blackle.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 12:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3416)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-01 12:36
ComboFix-quarantined-files.txt 2009-05-01 11:36
ComboFix2.txt 2009-05-01 10:58

Pre-Run: 8,793,423,872 bytes free
Post-Run: 8,789,303,296 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
167 --- E O F --- 2009-04-29 14:31

Here is the malwarbytes one:

Malwarebytes' Anti-Malware 1.36
Database version: 2063
Windows 5.1.2600 Service Pack 3

01/05/2009 12:29:59
mbam-log-2009-05-01 (12-29-59).txt

Scan type: Quick Scan
Objects scanned: 114938
Time elapsed: 26 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and finally here is the reginfo.bat:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"vidc.DIVX"="DivX.dll"
"vidc.yv12"="DivX.dll"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"wave"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

thanks, Ralph

by **Dakeyras** » May 3rd, 2009, 1:03 pm

Hi

Your current helper is unavailable at present and I will be taking over this topic if this change of situation is OK with your good self.

Any questions feel free to ask, if not I will post back asap with the next course of action.

by **Dakeyras** » May 3rd, 2009, 3:49 pm

Hi Ralph

Your installed Anti-Virus AntiVir is reporting its internal database is out of date:

AV: AntiVir Desktop *On-access scanning disabled* (Outdated)

Please check for updates via right clicking on the System Tray icon then click on Start Update.

Remove McAfee Remnants:

From reviewing the logs you provided it appears at some point you had one of the aforementioned vendors applications installed and some components remain. The best way to remove all leftovers is to run the following removal tool from McAfee:

Download and run MCPR.exe

If any problems and or not sure a safe generic removal tool can be found here.

Note: These remnants most likely pertain to the installtion that came with your computer when purchased and not a cause for concern OK.

Next:

Now I am going to ask your good self to remove some out of date applications(we will update these next time OK)that pose a security risk and a back-door for malware to reinfect a system. Plus one suspect application that has a nefarious side.

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader 7.1.0
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 11
Java(TM) 6 Update 5
URL Assistant

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Custom ComboFix Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all

KILLALL::

File::
c:\windows\system32\C107711460.sys

Driver::
C107711460.sys

Folder::
c:\documents and settings\All Users\Application Data\Lavasoft
C:\Program Files\URL Assistant

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\URL Assistant]

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

F-Secure Blacklight:

Please download Blacklight from here to your desktop.

Or

Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.

Go to Start-->Run, copy in the following text, and press Enter:

"%userprofile%\desktop\fsbl.exe" /expert

Accept the license agreement.
Click > scan, wait for it to finish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.

Any problems encountered and or further symptoms at all ?
Blacklight Log.
ComboFix Log.
A new HijackThis Log.

by **Dakeyras** » May 5th, 2009, 2:19 pm

Hi

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

by **bitey** » May 6th, 2009, 4:33 am

Hi there, and thanks for taking over- I am still in need of help, just hadn't had a chance to check here over the last few days.

I was working through the steps outlined above but I found that I could not remove the URL assistant program with add or remove programs- when I click change/remove nothing happens....

Should I press on with the other steps or try to get rid of this url assistant program first (no idea where it came from either!)

R

by **Dakeyras** » May 6th, 2009, 5:28 am

Hi

OK not a problem, just carry on with the rest of the instructions please, thank you.

Note: If you had copied the Custom ComboFix Script prior to running it, please make a new copy as I have amended it to include URL Assistant. If however you did press on before reading this and have already ran ComboFix not a problem we will remove the aforementioned URL Assistant next time :thumbup:

by **bitey** » May 6th, 2009, 9:00 am

OK then, here we go:

ComboFix 09-04-30.05 - Ralph 06/05/2009 13:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.581 [GMT 1:00]
Running from: c:\documents and settings\Ralph\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ralph\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\C107711460.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Lavasoft
c:\windows\system32\C107711460.sys

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-04-28 08:23 . 2009-04-28 08:23 -------- d--h--w c:\windows\PIF
2009-04-22 12:24 . 2009-04-22 12:24 -------- d-----w c:\program files\Trend Micro
2009-04-16 15:08 . 2009-04-16 15:08 -------- d-----w c:\program files\MSECache
2009-04-15 09:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:51 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 09:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 09:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:50 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 12:34 . 2009-04-14 12:34 -------- d-----w c:\documents and settings\Ralph\Local Settings\Application Data\HotheadGames
2009-04-14 10:31 . 2009-04-18 18:53 -------- d-----w c:\documents and settings\Giles\Local Settings\Application Data\HotheadGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 08:26 . 2007-01-15 22:58 -------- d-----w c:\program files\Common Files\Adobe
2009-05-02 12:24 . 2006-12-06 19:51 48872 ----a-w c:\documents and settings\Giles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 16:51 . 2009-04-04 06:04 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-28 10:45 . 2006-12-09 09:11 48872 ----a-w c:\documents and settings\Ralph\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-07 10:20 . 2009-04-04 10:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 14:32 . 2009-04-04 10:30 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2009-04-04 10:30 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 07:58 . 2007-11-10 09:37 -------- d-----w c:\program files\DAEMON Tools
2009-04-04 06:04 . 2009-04-04 06:04 -------- d-----w c:\program files\Avira
2009-04-03 07:59 . 2006-11-03 12:46 -------- d-----w c:\program files\Google
2009-03-21 08:30 . 2009-03-21 08:30 -------- d-----w c:\program files\AVG
2009-03-19 10:41 . 2009-03-19 10:41 -------- d-----w c:\program files\iTunes
2009-03-19 10:41 . 2009-03-19 10:41 -------- d-----w c:\program files\iPod
2009-03-19 10:41 . 2008-09-10 09:46 -------- d-----w c:\program files\Common Files\Apple
2009-03-19 10:40 . 2009-03-19 10:40 -------- d-----w c:\program files\Bonjour
2009-03-19 10:39 . 2006-11-03 12:41 -------- d-----w c:\program files\QuickTime
2009-03-16 10:29 . 2009-03-16 10:29 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-06 14:22 . 2005-08-16 04:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2005-08-16 04:18 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2005-08-16 04:18 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 04:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 04:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 04:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 04:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 04:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 04:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 04:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 04:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-01_10.53.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-04 06:04 . 2009-05-01 16:51 96104 c:\windows\system32\drivers\avipbb.sys
+ 2006-12-02 12:33 . 2009-05-06 08:27 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2006-12-02 12:33 . 2006-11-03 12:54 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Documents and Settings\\Ralph\\My Documents\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\Soulstorm.exe"=
"f:\\Program Files\\Westwood\\game.exe"=
"f:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\Program Files\\Steam\\steamapps\\common\\on the rain-slick precipice of darkness - episode one\\RainSlickEp1.exe"=
"f:\\Program Files\\Steam\\steamapps\\common\\empire total war demo\\Empire.exe"=
"f:\\Program Files\\Steam\\steamapps\\common\\penny arcade adventures on the rain-slick precipice of darkness episode 2\\RainSlickEp2.exe"=

R3 pepscsi;pepscsi;c:\windows\system32\DRIVERS\pepscsi.sys [2007-11-20 101192]
S0 PEP_HKA;PEP_HKA;c:\windows\system32\Drivers\PEP_HKA.SYS [2007-11-12 15040]
S0 pepbus;pepbus;c:\windows\system32\DRIVERS\pepbus.sys [2007-11-20 16624]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-01 108289]

.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xpango.com/fe/htm/login/login.asp
mStart Page = hxxp://www1.euro.dell.com/content/defau ... l=en&s=gen
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Ralph\Application Data\Mozilla\Firefox\Profiles\s2rxt36j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://uk.blackle.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 13:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3288)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-06 13:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 12:36
ComboFix2.txt 2009-05-01 11:36
ComboFix3.txt 2009-05-01 10:58

Pre-Run: 8,746,397,696 bytes free
Post-Run: 8,774,705,152 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
180 --- E O F --- 2009-04-29 14:31

05/06/09 13:37:28 [Info]: BlackLight Engine 2.2.1092 initialized
05/06/09 13:37:28 [Info]: OS: 5.1 build 2600 (Service Pack 3)
05/06/09 13:37:28 [Note]: 7019 4
05/06/09 13:37:28 [Note]: 7005 0
05/06/09 13:37:55 [Note]: 7006 0
05/06/09 13:37:55 [Note]: 7011 3288
05/06/09 13:37:55 [Note]: 7035 0
05/06/09 13:37:55 [Note]: 7026 0
05/06/09 13:37:55 [Note]: 7026 0
05/06/09 13:37:57 [Note]: FSRAW library version 1.7.1024
05/06/09 13:57:14 [Note]: 7007 0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:57:39, on 06/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xpango.com/fe/htm/login/login.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/defau ... l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&c ... bd=0061103
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7528 bytes

R

by **Dakeyras** » May 6th, 2009, 1:41 pm

Hi

Older installations of both Adobe and Java products pose a security risk, plus a back-door for malware to reinfect a system.

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader 7.1.0
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 11
Java(TM) 6 Update 5

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Custom Batch File:

Open Notepad.
Copy and Paste everything from the Code Box below into Notepad: <-- Start >> Run... type in notepad and select OK

Code: Select all

@echo off 
SC Stop RoxLiveShare9
SC Delete RoxLiveShare9
Del %0

Now go to File >> Save As
Save File name as "Dakeyras.bat" <-- Make sure to include the quotes.
Change Save as Type to All Files and save the file to your Desktop.
It should look like this:

Now double click on the desktop Dakeyras.bat to run it. It will self delete when completed.

Next:

Please re-open HiJackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (file missing)

Now click on Fix Checked. Close HiJackThis.

Next:

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\AVG
C:\Program Files\BAE
C:\Program Files\Common Files\Roxio Shared

Next click Start >> Run and type cleanmgr in the box and press OK.

Ensure the boxes for Temporary Files, Temporary Internet Files and Recycle Bin are checked.
You can choose to check other boxes if you wish but they are not required.
Click on OK then Yes.
Now Reboot(restart) your computer.

New Adobe Reader Installation:

Go here and click on AdbeRdr910_en_US.exe to download the latest version of Adobe Acrobat Reader.
Save this file to your desktop and run it to install the latest version of Adobe Reader.

New Java Installation:

Click here to visit Java's website.
Scroll down to Java SE Runtime Environment (JRE) 6 Update 13. Click on Download.
Select Windows from the drop-down list for Platform.
Select Multi-language from the drop-down list for Language.
Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
Click on jre-6u13-windows-i586-p.exe link to download it and save this to a convenient location.
Double click on jre-6u13-windows-i586-p.exe to install Java.

Run Kaspersky Online AV Scanner:

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases
Click on My Computer under Scan and then put the kettle on!
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

This online tuturial will help explain how to use the aforementioned online scan.

When completed the above, please post back the following:

How is you computer performing now? Any problems encountered and or any further symptoms?
Kaspersky results.
A new HijackThis Log.

by **Dakeyras** » May 8th, 2009, 6:32 am

Hi

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

Free Malware Removal Forum

Help needed with redirect virus

Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Re: Help needed with redirect virus

Who is online