We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
virus redirecting Google search results - Malawarebytes and Hijack this log file help
Options
Bacardi_queen
Posts: 116 Forumite
in Techie Stuff
Hi
I think I've caught the virus that redirects google search results. I've carried out a full scan of Malawarebytes (it wouldn't let me update it so I installed a new version of Malawarebytes instead). It found quite a few items, which I removed, and then rebooted the computer. But on reboot, I'm still having the same problem.
I've posted the Malawarebytes log file below, and also the HiJack This log file. Can anyone take a look and help?
Thanks
Bacardiqueen
I think I've caught the virus that redirects google search results. I've carried out a full scan of Malawarebytes (it wouldn't let me update it so I installed a new version of Malawarebytes instead). It found quite a few items, which I removed, and then rebooted the computer. But on reboot, I'm still having the same problem.
I've posted the Malawarebytes log file below, and also the HiJack This log file. Can anyone take a look and help?
Thanks
Bacardiqueen
0
Comments
-
Malwarebytes' Anti-Malware 1.44
Database version: 3667
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
31/01/2010 15:46:38
mbam-log-2010-01-31 (15-46-38).txt
Scan type: Full Scan (C:\|)
Objects scanned: 218256
Time elapsed: 1 hour(s), 29 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Documents and Settings\User.USER-700B570DE5\Local Settings\Temp\5F.tmp (Backdoor.Bot) -> Delete on reboot.
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe ecrm.goo srjds) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
Files Infected:
C:\Documents and Settings\User.USER-700B570DE5\Local Settings\Temp\5F.tmp (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\User.USER-700B570DE5\Local Settings\Temp\000034d1 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User.USER-700B570DE5\Local Settings\Temp\60.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ecrm.goo (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000180e.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\10E.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\61.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:22:37, on 31/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CE6D1E9-916E-4A05-8C2C-4BE49D8246DF}: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AC0B16F-BD1D-4C2B-ACDF-D0ACB4CEE2F6}: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC5096A1-3A61-4E82-9978-C8EB068DCCDE}: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CE6D1E9-916E-4A05-8C2C-4BE49D8246DF}: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.217,93.188.166.55
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
--
End of file - 9094 bytes0 -
looking at the log you need to scan with this
http://www.bleepingcomputer.com/combofix/how-to-use-combofixEx forum ambassador
Long term forum member0 -
fix these ( those Ip Addresses seem to be in the Ukraine)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.celartem.com/en/download/...trol_en_US.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CE6D1E9-916E-4A05-8C2C-4BE49D8246DF}: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AC0B16F-BD1D-4C2B-ACDF-D0ACB4CEE2F6}: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC5096A1-3A61-4E82-9978-C8EB068DCCDE}: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CE6D1E9-916E-4A05-8C2C-4BE49D8246DF}: NameServer = 93.188.163.217,93.188.166.55
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.217,93.188.166.55Ex forum ambassador
Long term forum member0 -
Thanks, have checked the HiJack This boxes and am now starting the combofix. Will get back to you when it's finished
Thanks for the help so far!0 -
Remove it with this http://www.surfright.nl/en/hitmanpro/whatsnew0
-
Download HostsXpert
http://download.softpedia.com/dl/a688cad746f64494e3ba8aee103f97e4/4b3ceb67/100027041/software/system/HostsXpert.zip
and then follow the below steps.
* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program:idea:0 -
Browntoa, have completed the combofix. It seems to have done the trick but here's the log file just in case:
ComboFix 10-01-30.07 - User 31/01/2010 17:07:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.677 [GMT 0:00]
Running from: c:\documents and settings\User.USER-700B570DE5\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User.USER-700B570DE5\Application Data\inst.exe
c:\documents and settings\User.USER-700B570DE5\Application Data\Microsoft\~DFK18f1cf8.tmp
c:\documents and settings\User.USER-700B570DE5\Application Data\Microsoft\1eaadjc.dll
c:\documents and settings\User.USER-700B570DE5\Application Data\Microsoft\bass.dll
c:\documents and settings\User.USER-700B570DE5\Application Data\Microsoft\engine_vx.dll
c:\documents and settings\User.USER-700B570DE5\Application Data\Microsoft\kfgresk.dll
c:\documents and settings\User.USER-700B570DE5\Application Data\Microsoft\mjcriu.dll
c:\documents and settings\User.USER-700B570DE5\Application Data\Microsoft\peaadje.dll
c:\documents and settings\User.USER-700B570DE5\Application Data\Microsoft\qwadjb.dll
c:\documents and settings\User.USER-700B570DE5\Application Data\Microsoft\rsaadjd.dll
c:\recycler\S-1-5-21-1547161642-706699826-1343024091-1003
c:\recycler\S-1-5-21-390791913-1275031184-413780649-1005
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))
.
23843-02-13 09:18 . 2001-08-17 13:59 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
23843-02-13 09:17 . 2001-08-17 13:51 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
23843-02-13 09:17 . 2008-04-14 00:12 151552 ----a-w- c:\windows\system32\irftp.exe
23843-02-13 09:17 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\wshirda.dll
23843-02-13 09:17 . 2008-04-14 00:11 28160 ----a-w- c:\windows\system32\irmon.dll
23843-02-13 09:17 . 2008-04-13 18:54 88192 ----a-w- c:\windows\system32\drivers\irda.sys
23843-02-13 09:17 . 2001-08-17 12:10 35913 ----a-w- c:\windows\system32\drivers\smcirda.sys
23843-02-13 09:17 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
23843-02-13 09:16 . 2008-04-13 18:40 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
23843-02-13 09:16 . 2008-04-14 00:12 74240 ----a-w- c:\windows\system32\usbui.dll
23843-02-13 09:16 . 2008-04-13 18:36 42368 ----a-w- c:\windows\system32\drivers\agp440.sys
23843-02-13 09:16 . 2008-04-13 18:36 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
23843-02-13 09:16 . 2008-04-13 18:36 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
23843-02-13 09:16 . 2008-04-13 18:36 14208 ----a-w- c:\windows\system32\drivers\battc.sys
23843-02-13 09:16 . 2008-04-13 18:36 13952 ----a-w- c:\windows\system32\drivers\cmbatt.sys
2010-01-30 18:02 . 2010-01-30 18:18
d
w- c:\program files\All2WAV Recorder
2010-01-30 17:48 . 2010-01-30 17:50
d
w- c:\program files\MP3MyMP3 3.0
2010-01-30 16:12 . 2010-01-30 16:20
d
w- c:\program files\Absolute Sound Recorder
2010-01-30 15:52 . 2010-01-30 15:52
d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-07 11:15 . 2010-01-31 17:21
d
w- c:\documents and settings\User.USER-700B570DE5\Tracing
2010-01-07 11:06 . 2010-01-07 11:06
d
w- c:\program files\Microsoft
2010-01-07 11:06 . 2010-01-07 11:06
d
w- c:\program files\Windows Live SkyDrive
2010-01-07 11:01 . 2010-01-07 11:01
d
w- c:\program files\Common Files\Windows Live
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 15:47 . 2008-04-25 18:41
d
w- c:\documents and settings\User.USER-700B570DE5\Application Data\uTorrent
2010-01-31 14:15 . 2009-03-15 20:03
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 19:39 . 2009-12-27 21:37
d
w- c:\documents and settings\User.USER-700B570DE5\Application Data\dvdcss
2010-01-27 19:38 . 2009-12-15 22:25
d
w- c:\documents and settings\User.USER-700B570DE5\Application Data\Vso
2010-01-27 19:38 . 2009-12-15 22:25 47360 ----a-w- c:\documents and settings\User.USER-700B570DE5\Application Data\pcouffin.sys
2010-01-27 19:38 . 2009-12-15 22:25 47360 ----a-w- c:\documents and settings\User.USER-700B570DE5\Application Data\pcouffin.sys
2010-01-27 19:10 . 2009-07-03 21:50
d
w- c:\program files\Quintessential Media Player
2010-01-24 15:28 . 2008-04-25 20:05
d
w- c:\documents and settings\User.USER-700B570DE5\Application Data\Apple Computer
2010-01-17 16:57 . 2009-07-04 09:27 5115824 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 16:07 . 2009-03-15 20:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-03-15 20:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 11:07 . 2008-06-10 20:02
d
w- c:\program files\Windows Live
2009-12-29 19:21 . 2009-12-29 19:10
d
w- c:\program files\Xilisoft
2009-12-29 19:07 . 2009-12-15 21:31
d
w- c:\program files\Handbrake
2009-12-29 11:40 . 2008-04-21 19:27 68840 -c--a-w- c:\documents and settings\User.USER-700B570DE5\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-29 11:21 . 2009-12-29 11:21
d
w- c:\program files\Digiarty
2009-12-27 22:06 . 2009-12-27 22:06
d
w- c:\documents and settings\User.USER-700B570DE5\Application Data\DVDFab
2009-12-27 21:56 . 2009-12-15 22:25 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-27 21:44 . 2009-12-27 21:22
d
w- c:\program files\AoA DVD Ripper
2009-12-27 21:44 . 2009-12-27 21:22
d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-12-24 12:02 . 2009-12-24 12:02 175872 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-20 23:16 . 2009-12-20 23:15
d
w- c:\program files\iTunes
2009-12-20 23:16 . 2009-12-20 23:15
d
w- c:\documents and settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-20 23:15 . 2009-12-20 23:15
d
w- c:\program files\iPod
2009-12-20 23:15 . 2008-04-25 20:02
d
w- c:\program files\Common Files\Apple
2009-12-20 23:13 . 2009-12-20 23:10
d
w- c:\program files\QuickTime
2009-12-20 23:02 . 2009-12-20 23:02 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-19 21:15 . 2009-12-19 21:15
d
w- c:\program files\LizardTech
2009-12-15 22:52 . 2009-12-15 22:52
d
w- c:\program files\MSBuild
2009-12-15 22:52 . 2009-12-15 22:52
d
w- c:\program files\Reference Assemblies
2009-12-15 21:40 . 2009-12-15 21:31
d
w- c:\documents and settings\User.USER-700B570DE5\Application Data\HandBrake
2009-12-15 21:23 . 2009-12-15 21:23
d
w- c:\program files\Microsoft.NET
2009-12-07 21:17 . 2009-06-07 18:54 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-29 00:07 . 2009-11-29 00:07 121315 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2009-11-21 15:51 . 2006-02-28 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 344064]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [07/06/2009 18:54 108289]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 16:19 202280]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [16/09/2009 19:42 182101]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [16/09/2009 19:42 5689]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;c:\windows\system32\drivers\ar5211.sys [14/04/2008 09:40 380160]
.
Contents of the 'Scheduled Tasks' folder
2010-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]
2010-01-31 c:\windows\Tasks\User_Feed_Synchronization-{B87E5B40-16BB-4BA8-BCA2-D34D6B81D7EE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-31 17:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-1482476501-162531612-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{90123A4A-35A5-3ED1-1A6B-F61F5235471A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oadmdojddmejfnmchihnphpdfnlfni"=hex:64,61,64,67,65,6f,69,6d,00,90
"oapmehhfojdfkgelddbgmepfdpllcm"=hex:6a,61,64,67,67,6f,67,6d,6c,6e,62,6a,61,64,
61,66,6b,6e,70,6a,00,fd
"nafnkfhhfmemmoacnmkidbdcnobi"=hex:6a,61,64,67,67,6f,67,6d,63,6f,6f,65,69,61,
63,68,6b,63,6f,70,00,fd
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscdll.dll
- - - - - - - > 'explorer.exe'(1084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\AGRSMMSG.exe
.
**************************************************************************
.
Completion time: 2010-01-31 17:30:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-31 17:30
Pre-Run: 5,407,801,344 bytes free
Post-Run: 5,419,679,744 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 3D4C1C00D8377AB1B5674AB4E2CF976C0 -
Bacardi_queen,
For the time being just act on Browntoa's instructions.
DO NOT start downloading further stuff that others may recommend.
There are only a very few people who I would accept advice from on this forum and Browntoa is one of them (been here ages..same as me).
There are a couple of others who help out on here, and who are very good but as Browntoa has started to help you, then just follow his (massive gender assumption here...appologies if i am wrong) instructions for the time being.
Edit...aliEnRIK is another good source of trusted help on this forumDont you just love freshly congealed pigs blood, with a bit of fat in
0 -
Download HostsXpert
http://download.softpedia.com/dl/a688cad746f64494e3ba8aee103f97e4/4b3ceb67/100027041/software/system/HostsXpert.zip
and then follow the below steps.
* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program
Thanks Alienrik - I think the steps taken by Browntoa have fixed the problem, but should I do this anyway just to make sure?0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.6K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards