Redirecting virus? - Free Antivirus Forum

Redirecting virus?

BullGuard Antivirus Forum > Virus > Virus Questions > Redirecting virus?

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

r1ch1e
New Member

Date Joined Nov 2008
Total Posts : 7

Posted 11-21-2008 9:46 (GMT +1)

I seem to have issues with links randomly redirecting me to porn or adverts for software. Could this be a virus? Avast doesnt find anything, nor does adaware or SUPERantispyware
took a log with hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:11, on 21/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\imapi.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdwjs.exe] C:\WINDOWS\system32\kdwjs.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\DOCUME~1\Chloe\LOCALS~1\Temp\E_S11D.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Nature\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Be!!!eled 2\Images\armhelper.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-22-2008 5:27 (GMT +1)

Hello

Please download Malwarebytes' Anti-Malware:

http://www.spywarefri.dk/downloads1/mbam-setup.exe

Or here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, along with fresh hijackthis log.

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

r1ch1e
New Member

Date Joined Nov 2008
Total Posts : 7

Posted 11-22-2008 10:10 (GMT +1)

Malwarebytes' Anti-Malware 1.30
Database version: 1415
Windows 5.1.2600 Service Pack 3

22/11/2008 09:05:30
mbam-log-2008-11-22 (09-05-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 93111
Time elapsed: 32 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-14D.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-243.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:06:19, on 22/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdwjs.exe] C:\WINDOWS\system32\kdwjs.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\DOCUME~1\Chloe\LOCALS~1\Temp\E_S11D.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Nature\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Be!!!eled 2\Images\armhelper.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5707 bytes

r1ch1e
New Member

Date Joined Nov 2008
Total Posts : 7

Posted 11-22-2008 10:12 (GMT +1)

I also have another issue, anything opened in notepad is blank, I have to save and reopen with another text program such as word etc. Not sure if its related?

quick edit, solved myself. Looks like something changed font to size 1000 so nothing was coming up. Changed it to 12, problem fixed

Post Edited (r1ch1e) : 22-11-2008 09:18:44 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-22-2008 11:00 (GMT +1)

Ok. Unfortunality have you still some infecctions, therefore - >

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

r1ch1e
New Member

Date Joined Nov 2008
Total Posts : 7

Posted 11-22-2008 11:29 (GMT +1)

ComboFix 08-11-21.05 - Chloe 2008-11-22 10:25:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1616 [GMT 0:00]
Running from: c:\documents and settings\Chloe\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\MSINET.oca
D:\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-12-28 18:22 . 2008-12-28 18:22 244 --ah----- C:\sqmnoopt07.sqm
2008-12-28 18:22 . 2008-12-28 18:22 232 --ah----- C:\sqmdata07.sqm
2008-12-27 20:58 . 2008-12-27 20:58 244 --ah----- C:\sqmnoopt06.sqm
2008-12-27 20:58 . 2008-12-27 20:58 232 --ah----- C:\sqmdata06.sqm
2008-12-26 15:29 . 2008-12-26 15:29 244 --ah----- C:\sqmnoopt05.sqm
2008-12-26 15:29 . 2008-12-26 15:29 232 --ah----- C:\sqmdata05.sqm
2008-12-25 17:37 . 2008-12-25 17:37 244 --ah----- C:\sqmnoopt04.sqm
2008-12-25 17:37 . 2008-12-25 17:37 232 --ah----- C:\sqmdata04.sqm
2008-12-24 20:58 . 2008-12-24 20:58 244 --ah----- C:\sqmnoopt03.sqm
2008-12-24 20:58 . 2008-12-24 20:58 232 --ah----- C:\sqmdata03.sqm
2008-12-23 20:51 . 2008-12-23 20:51 244 --ah----- C:\sqmnoopt02.sqm
2008-12-23 20:51 . 2008-12-23 20:51 232 --ah----- C:\sqmdata02.sqm
2008-12-23 18:03 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-22 20:55 . 2008-12-22 20:55 244 --ah----- C:\sqmnoopt01.sqm
2008-12-22 20:55 . 2008-12-22 20:55 232 --ah----- C:\sqmdata01.sqm
2008-12-22 20:32 . 2008-12-22 20:32 244 --ah----- C:\sqmnoopt00.sqm
2008-12-22 20:32 . 2008-12-22 20:32 232 --ah----- C:\sqmdata00.sqm
2008-12-22 19:18 . 2008-04-14 00:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-22 08:29 . 2008-11-22 08:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-22 08:29 . 2008-11-22 08:29 <DIR> d-------- c:\documents and settings\Chloe\Application Data\Malwarebytes
2008-11-22 08:29 . 2008-11-22 08:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 08:29 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-22 08:29 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-21 20:39 . 2008-11-21 20:39 <DIR> d-------- c:\program files\Trend Micro
2008-11-21 18:18 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2008-11-21 18:17 . 2008-11-21 18:17 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-11-21 18:16 . 2008-11-21 18:17 <DIR> d-------- c:\windows\SHELLNEW
2008-11-21 18:11 . 2008-11-21 18:11 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-20 16:14 . 2008-11-20 16:14 <DIR> d-------- c:\windows\system32\GroupPolicy
2008-11-20 16:14 . 2008-11-20 16:14 <DIR> d-------- c:\program files\Windows Desktop Search
2008-11-20 16:14 . 2008-11-20 16:14 <DIR> d-------- c:\documents and settings\Chloe\Application Data\Windows Desktop Search
2008-11-20 16:09 . 2008-11-20 16:09 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-20 16:07 . 2008-11-20 16:07 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-20 16:07 . 2008-11-20 16:08 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-20 16:06 . 2008-11-20 16:06 <DIR> d-------- c:\windows\system32\URTTEMP
2008-11-16 17:51 . 2008-11-16 17:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-16 17:50 . 2008-11-16 17:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-16 17:50 . 2008-11-16 17:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-16 17:50 . 2008-11-16 17:50 <DIR> d-------- c:\documents and settings\Chloe\Application Data\SUPERAntiSpyware.com
2008-11-16 16:28 . 2008-11-16 16:28 <DIR> d-------- c:\program files\Lavasoft
2008-11-16 16:28 . 2008-11-16 16:28 <DIR> d-------- c:\documents and settings\Chloe\Application Data\Lavasoft
2008-11-15 20:58 . 2008-11-15 20:58 <DIR> d-------- c:\program files\Xilisoft
2008-11-15 16:32 . 2000-09-27 13:15 532,480 --------- c:\windows\system32\imagx5.dll
2008-11-15 16:32 . 2000-09-21 14:02 507,904 --------- c:\windows\system32\imagr5.dll
2008-11-15 16:32 . 2000-09-21 09:53 275,312 --------- c:\windows\system32\ImagXpr5.dll
2008-11-15 16:32 . 2000-09-21 04:47 35,328 --------- c:\windows\system32\picn20.dll
2008-11-15 16:32 . 2008-11-15 16:32 46 --a------ c:\windows\system32\ie4file.inf
2008-11-15 16:26 . 2008-11-15 16:26 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-14 20:21 . 2008-11-14 20:21 <DIR> d-------- c:\documents and settings\Chloe\Application Data\vlc
2008-11-14 20:17 . 2008-11-14 20:17 <DIR> d-------- c:\program files\VideoLAN
2008-11-14 19:33 . 2008-11-14 19:33 <DIR> d-------- c:\program files\Date Cracker 2000
2008-11-14 19:33 . 2008-11-14 19:33 249,856 --------- c:\windows\Setup1.exe
2008-11-14 19:33 . 2008-11-14 19:33 73,216 --a------ c:\windows\ST6UNST.EXE
2008-11-14 07:16 . 2008-11-14 07:16 2,581 -r-hs---- c:\windows\PCGWIN32.LI5
2008-11-14 07:16 . 2008-11-14 07:16 528 -r-hsc--- c:\windows\PCGWIN32.LI4
2008-11-14 06:49 . 2008-11-14 06:49 <DIR> d-------- c:\program files\MagicISO
2008-11-13 20:45 . 2008-11-13 20:45 <DIR> d-------- c:\program files\uTorrent
2008-11-13 20:45 . 2008-11-21 19:31 <DIR> d-------- c:\documents and settings\Chloe\Application Data\uTorrent
2008-11-13 20:12 . 2008-11-13 20:12 <DIR> d-------- c:\program files\Common Files\Autodata Limited Shared
2008-11-13 20:12 . 2008-11-13 20:12 <DIR> d-------- C:\ADCDTEMP
2008-11-13 20:12 . 2005-10-05 16:07 <DIR> d-------- C:\ADCDA2
2008-11-13 18:27 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 18:27 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-07 18:32 . 2008-11-07 18:32 <DIR> d-------- c:\documents and settings\Chloe\Application Data\EPSON
2008-11-06 17:41 . 2008-11-06 17:41 <DIR> dr-h----- c:\documents and settings\Chloe\Application Data\SecuROM
2008-11-06 17:38 . 2008-11-06 17:43 <DIR> d-------- c:\windows\NV35363988.TMP
2008-11-06 17:38 . 2008-10-07 13:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-11-06 17:35 . 2008-11-06 17:35 <DIR> d-------- C:\NVIDIA
2008-11-06 17:30 . 2008-11-06 17:41 <DIR> d-------- c:\program files\Tomb Raider - Anniversary
2008-11-06 17:18 . 2008-11-06 17:20 <DIR> d-------- c:\program files\GameShadow
2008-11-06 14:09 . 2008-11-10 07:36 244 --ah----- C:\sqmnoopt19.sqm
2008-11-06 14:09 . 2008-11-10 07:36 232 --ah----- C:\sqmdata19.sqm
2008-11-05 20:47 . 2008-11-09 19:57 244 --ah----- C:\sqmnoopt18.sqm
2008-11-05 20:47 . 2008-11-09 19:57 232 --ah----- C:\sqmdata18.sqm
2008-11-05 20:38 . 2008-11-05 20:38 <DIR> d-------- c:\program files\MyMPxPlayer.org
2008-11-05 19:31 . 2008-11-05 19:31 <DIR> d-------- c:\program files\eRightSoft
2008-11-05 19:31 . 2008-11-05 19:31 <DIR> d-------- c:\program files\AviSynth 2.5
2008-11-05 19:07 . 2008-11-05 19:07 <DIR> d-------- c:\documents and settings\Chloe\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-05 19:04 . 2005-02-24 12:10 2,084,864 --a------ c:\windows\system32\AudDesign.dll
2008-11-05 19:03 . 1998-07-12 19:00 32,768 --a------ c:\windows\system32\CMDLGFR.DLL
2008-11-04 19:02 . 2008-11-15 16:36 244 --ah----- C:\sqmnoopt17.sqm
2008-11-04 19:02 . 2008-11-15 16:36 232 --ah----- C:\sqmdata17.sqm
2008-11-04 14:50 . 2008-11-15 16:27 244 --ah----- C:\sqmnoopt16.sqm
2008-11-04 14:50 . 2008-11-15 16:27 232 --ah----- C:\sqmdata16.sqm
2008-11-04 11:37 . 2008-11-14 21:36 244 --ah----- C:\sqmnoopt15.sqm
2008-11-04 11:37 . 2008-11-14 21:36 232 --ah----- C:\sqmdata15.sqm
2008-11-02 21:03 . 2008-11-14 07:19 244 --ah----- C:\sqmnoopt14.sqm
2008-11-02 21:03 . 2008-11-14 07:19 232 --ah----- C:\sqmdata14.sqm
2008-11-01 17:10 . 2008-11-13 22:35 244 --ah----- C:\sqmnoopt13.sqm
2008-11-01 17:10 . 2008-11-13 22:35 232 --ah----- C:\sqmdata13.sqm
2008-10-31 21:21 . 2008-11-12 20:54 244 --ah----- C:\sqmnoopt12.sqm
2008-10-31 21:21 . 2008-11-12 20:54 232 --ah----- C:\sqmdata12.sqm
2008-10-30 20:07 . 2008-11-11 21:25 244 --ah----- C:\sqmnoopt11.sqm
2008-10-30 20:07 . 2008-11-11 21:25 232 --ah----- C:\sqmdata11.sqm
2008-10-30 19:28 . 2008-10-30 19:28 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-10-30 19:27 . 2008-10-30 19:27 <DIR> d-------- c:\program files\Common Files\Adobe
2008-10-30 18:38 . 2008-10-30 18:38 <DIR> d-------- c:\documents and settings\Chloe\Application Data\AdobeUM
2008-10-29 20:54 . 2008-11-11 19:08 244 --ah----- C:\sqmnoopt10.sqm
2008-10-29 20:54 . 2008-11-11 19:08 232 --ah----- C:\sqmdata10.sqm
2008-10-29 18:31 . 2008-11-10 20:45 244 --ah----- C:\sqmnoopt09.sqm
2008-10-29 18:31 . 2008-11-10 20:45 232 --ah----- C:\sqmdata09.sqm
2008-10-28 20:50 . 2008-11-10 19:26 244 --ah----- C:\sqmnoopt08.sqm
2008-10-28 20:50 . 2008-11-10 19:26 232 --ah----- C:\sqmdata08.sqm
2008-10-22 17:30 . 2008-10-22 17:30 <DIR> d-------- c:\windows\system32\scripting
2008-10-22 17:30 . 2008-10-22 17:30 <DIR> d-------- c:\windows\system32\en
2008-10-22 17:30 . 2008-10-22 17:30 <DIR> d-------- c:\windows\system32\bits
2008-10-22 17:30 . 2008-10-22 17:30 <DIR> d-------- c:\windows\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 19:19 --------- d-----w c:\program files\MSN Messenger
2008-11-15 16:34 --------- d-----w c:\program files\Ahead
2008-11-06 17:41 108,144 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 18:40 --------- d-----w c:\program files\Sun
2008-10-17 18:40 --------- d-----w c:\program files\Java
2008-10-17 18:39 --------- d-----w c:\program files\Common Files\Java
2008-10-16 19:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-16 19:47 --------- d-----w c:\program files\Sony Ericsson
2008-10-16 19:47 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-10-16 19:46 --------- d-----w c:\documents and settings\Chloe\Application Data\InstallShield
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 19:10 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-14 18:47 --------- d-----w c:\documents and settings\Chloe\Application Data\SpinTop
2008-10-05 16:44 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-05 16:44 --------- d-----w c:\documents and settings\All Users\Application Data\UDL
2008-10-05 16:42 --------- d-----w c:\program files\EPSON Print CD
2008-10-05 16:42 --------- d-----w c:\program files\EPSON
2008-10-05 16:37 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2008-10-05 16:35 99,965 ----a-w c:\windows\UninstallThunderbird.exe
2008-10-05 16:35 --------- d-----w c:\program files\Mozilla Thunderbird
2008-10-05 16:35 --------- d-----w c:\documents and settings\Chloe\Application Data\Thunderbird
2008-10-02 10:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-28 09:37 --------- d-----w c:\documents and settings\All Users\Application Data\Bluetooth
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.51.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.51.lnk
backup=c:\windows\pss\Wireless Configuration Utility HW.51.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chloe^Start Menu^Programs^Startup^ubisoft register.lnk]
path=c:\documents and settings\Chloe\Start Menu\Programs\Startup\ubisoft register.lnk
backup=c:\windows\pss\ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward]
--a--c--- 2006-09-13 10:10 2154496 c:\program files\XpertVision\TBPANEL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
--a------ 2008-07-02 15:16 393216 c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 10:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra--c--- 2006-05-27 02:47 16208384 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra--c--- 2006-05-16 10:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-05 110160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-10-05 20560]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-15 27904]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-10-16 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-10-16 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-10-16 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-10-16 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-10-16 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-10-16 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-10-16 115752]
S4 hpt3xx;hpt3xx; []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-c:\windows\system32\kdwjs.exe - c:\windows\system32\kdwjs.exe
MSConfigStartUp-SearchSettings - c:\program files\Search Settings\SearchSettings.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Chloe\Application Data\Mozilla\Firefox\Profiles\gomm6el8.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 10:26:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-22 10:28:37
ComboFix-quarantined-files.txt 2008-11-22 10:27:33

Pre-Run: 6,063,996,928 bytes free
Post-Run: 6,098,497,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

271 --- E O F --- 2008-11-22 09:59:22

r1ch1e
New Member

Date Joined Nov 2008
Total Posts : 7

Posted 11-22-2008 2:33 (GMT +1)

Following on from above, I have been reading various other threads on this particular virus and as you reccomend to others at the same stage as me I have restarted system restore and then uninstalled combo fix. I have also now removed Super spyware program and have reinstalled spyware terminator as reccomended many time by yourself. I will reboot and post a fresh hijack log.
Thnk you.

r1ch1e
New Member

Date Joined Nov 2008
Total Posts : 7

Posted 11-22-2008 2:42 (GMT +1)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:42:32, on 22/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Nature\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Be!!!eled 2\Images\armhelper.ocx
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5404 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-23-2008 8:36 (GMT +1)

Looks clean smile

How are things running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

r1ch1e
New Member

Date Joined Nov 2008
Total Posts : 7

Posted 11-23-2008 11:12 (GMT +1)

all seems well now, no redirecting issues etc. Seems to take a bit longer to boot but Im guessing thats down to now having zone alarm and spyware terminator running.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-24-2008 5:15 (GMT +1)

Probably. However I suggest you follow the tips, from Step 5 her:

http://home.comcast.net/~SupportCD/OptimizeXP.html

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
System Restore

Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.

Also, please read this article by Tony Klein: How I got Infected in the First Place

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Friday, January 09, 2009 4:12 AM (GMT +1)
There are a total of 65.964 posts in 16.185 threads.
In the last 3 days there were 23 new threads and 96 reply posts. View Active Threads