Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
It looks like there have been numerous versions of google redirect problems and all need to be looked at individually. Plus it seems that the tools needed to combat it need expert knowledge, which I assuredly do not have. Another problem has been clicking on links that people to various tools that are supposed to help, they often do not work. This may simply be because most of the threads I have seen have been quite old, or it may be a symptom. Any help greatly appreciated. Thank you :)
Please download Malwarebytes' Anti-Malware from one of these sites:
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.If you have trouble installing or running MalwareBytes or Hijack This do the following:
If you got them downloaded rename the setup file then try installing them again.
Right click the mbam-setup.exe file> click rename> rename it something.exe then try to run it. If it installed but will not run navigate to this folder:
C:\Programs Files\Malwarebytes' AntiMalware
Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.
For Hijack This rename the Hijack This.exe file to something else and try installing it again.
If renaming did not help you can download malwarebytes and Hijack This to a cd or usb jump drive from an uninfected computer then run them on the infected computer.
0 
Thanks for the reply.
Neither of these links will open. They attempt to take me to:
http://www.besttechie.net/tools/mba...
and
http://www.majorgeeks.com/Malwareby...
Both come up with 'Page Load Error' and my computer crashed when first attempting to access them. Neither www.besttechie.net, nor www.majorgeeks.com work by themselves.
Could this be the clever virus attempting to save itself?Any more help much appreciated,
Thanks,
Mark :)
0
Should be just the opposite for site 1 and 2 but is at the right place.
Please download HostsXpert from the following link:
Extract the HostsXpert.zip by doing the following:Right-click HostsXpert.zip and select extract all – Follow the wizard and extract it to your DesktopClick Finish. Double-click the HostsXpert folder and then double-click HostsXpert.exe. Click “ Restore MS Hosts File” and press OK.Exit the program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.
<B<Try the Malwarebytes links again.
If no luck click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer then try the links again.
0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:43:54, on 17/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vtune\TBPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\HP\KBD\KBD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [oshark] "C:\Program Files\OrangeShark\OrangeShark.exe" -minimize
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [TBPanel] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.exe (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitS...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Opti...
O22 - SharedTaskScheduler: discommodiousness - {33b8d257-07f6-4c06-8605-94bc21728635} - C:\WINDOWS\system32\onljweo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe--
End of file - 12699 bytes
0
Thanks. It wasnt hostsxpert but the second thing that allowed me to access the links - so something is disabled. I havent posted the report from malwarebytes because it was too long and the forum wouldnt let me (HJT report is 5 pages on word, Malwarebytes is 40!).
Should I be scanning and deleting with malwarebytes regularly and deleting everything it finds? I have avast! but I guess it doesnt scan for the same things.
Google is working now, should I enable the hardware that I disabled?
Thanks very much
0
That is a mean baddie that you have and will take two more programs to kill it and maybe a few files to manually delete.
Once you get SDFix downloaded go offline and turn of your antivirus and any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
0
Thanks so much for all your help - here's the report. Looking through my 'Non-Plug and Play Drivers' I see that 'TDSSserv.sys' is gone but two things claim not to be working properly - 'catchme' and 'serial. The first sounds suspicous.
[b]SDFix: Version 1.240 [/b]
Run by Administrator on 18/12/2008 at 13:27Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix[b]Checking Services [/b]:
[b]Name [/b]:
TDSSserv.sys[b]Path [/b]:
\systemroot\system32\drivers\TDSSmxft.sysTDSSserv.sys - Deleted
Restoring Default Security Values
Restoring Default Hosts FileRebooting
[b]Checking Files [/b]:Trojan Files Found:
C:\WINDOWS\system32\drivers\TDSSmxft.sys - Deleted
C:\WINDOWS\system32\TDSSmtpe.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSMTPE.dat - DeletedRemoving Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 13:40:37
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:a6,98,20,52,b5,ab,a8,ba,bd,66,53,7d,2b,24,9c,db,d3,26,c1,f2,46,..[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b9,40,e8,fc,d7,b2,f8,9a,91,8e,85,86,47,7a,89,22,8f,..
"khjeh"=hex:6d,d5,f8,a8,83,3c,1f,98,a1,44,f5,c5,2e,25,17,65,72,e0,1d,82,8f,..[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:4d,dc,9b,0a,ac,5c,8a,82,ff,dd,26,42,62,69,85,39,3a,45,d8,07,a7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:a6,98,20,52,b5,ab,a8,ba,bd,66,53,7d,2b,24,9c,db,d3,26,c1,f2,46,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b9,40,e8,fc,d7,b2,f8,9a,91,8e,85,86,47,7a,89,22,8f,..
"khjeh"=hex:6d,d5,f8,a8,83,3c,1f,98,a1,44,f5,c5,2e,25,17,65,72,e0,1d,82,8f,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:4d,dc,9b,0a,ac,5c,8a,82,ff,dd,26,42,62,69,85,39,3a,45,d8,07,a7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:a6,98,20,52,b5,ab,a8,ba,bd,66,53,7d,2b,24,9c,db,d3,26,c1,f2,46,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b9,40,e8,fc,d7,b2,f8,9a,91,8e,85,86,47,7a,89,22,8f,..
"khjeh"=hex:6d,d5,f8,a8,83,3c,1f,98,a1,44,f5,c5,2e,25,17,65,72,e0,1d,82,8f,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:4d,dc,9b,0a,ac,5c,8a,82,ff,dd,26,42,62,69,85,39,3a,45,d8,07,a7,..scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"E:\\STHIW\\stInstall.exe"="E:\\STHIW\\stInstall.exe:*:Enabled:SpeedTouch Home Install Wizard"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Zultrax P2P\\Zultrax.exe"="C:\\Program Files\\Zultrax P2P\\Zultrax.Exe:*:Enabled:Zultrax"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"E:\\Release\\Tiscali.exe"="E:\\Release\\Tiscali.exe:*:Enabled:Tiscali Wireless Gateway Installation"
"C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"="C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe:*:Enabled:left4dead"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Steam\\steamapps\\bowker\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\bowker\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"="C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe:*:Enabled:left4dead"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.zip[b]Files with Hidden Attributes [/b]:
Sun 24 Dec 2006 211 A.SHR --- "C:\BOOT.BAK"
Thu 29 May 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 29 Aug 2005 121,240 A..HR --- "C:\Program Files\THQ\Dawn Of War\Disk1CheckW40k.exe"
Fri 19 Aug 2005 121,237 A..HR --- "C:\Program Files\THQ\Dawn Of War\Disk1Check.exe"
Wed 3 Dec 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 20 Nov 2008 67,498,308 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\929eb99194b0a6ebc902f109017631be\BIT2E.tmp"
Thu 3 Apr 2008 27,136 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 26 Mar 2008 42,496 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL0004.tmp"
Wed 2 Apr 2008 23,552 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL0005.tmp"
Wed 26 Mar 2008 22,528 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL0249.tmp"
Sat 8 Nov 2008 38,400 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL2496.tmp"
Sat 8 Nov 2008 40,448 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL2845.tmp"
Wed 26 Mar 2008 23,040 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL3031.tmp"
Wed 2 Apr 2008 25,088 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL3502.tmp"
Sat 8 Nov 2008 37,888 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL3644.tmp"
Sat 8 Nov 2008 37,888 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL3737.tmp"
Sat 8 Nov 2008 22,528 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL3788.tmp"
Sat 8 Nov 2008 38,912 ...H. --- "C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Word\~WRL3966.tmp"
Tue 26 Aug 2008 12,069 ...HR --- "C:\Documents and Settings\HP_Administrator\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sat 8 Nov 2008 37,376 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Essays\Language and Reality\~WRL1844.tmp"
Sat 8 Nov 2008 37,376 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Essays\Language and Reality\~WRL3752.tmp"
Wed 2 Apr 2008 27,136 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Essays\Modern\~WRL0005.tmp"
Wed 2 Apr 2008 25,600 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Essays\Modern\~WRL0736.tmp"
Wed 2 Apr 2008 22,016 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\Essays\Modern\~WRL2327.tmp"
Thu 29 May 2008 11,115 A.SH. --- "C:\Documents and Settings\HP_Administrator\My Documents\My Music\License Backup\drmv2key.bak"[b]Finished![/b]
0
They are normal.
Make sure you have the newest java update, version 6 update 11. Go to start> control panel> java> general tab> about. I you do not have the newest version click the update tab> update now.
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.In your case to run Combofix do the following:
1. Go offline turn off your Avast antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
ComboFix 08-12-17.01 - HP_Administrator 2008-12-18 14:25:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1515 [GMT 0:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:\windows\Sysvxd.exe
D:\Autorun.inf.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.2008-12-18 13:26 . 2008-12-18 13:26 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-18 13:24 . 2008-12-18 13:24 <DIR> d-------- c:\windows\ERUNT
2008-12-18 13:18 . 2008-12-18 13:43 <DIR> d-------- C:\SDFix
2008-12-17 14:43 . 2008-12-17 14:43 <DIR> d-------- c:\program files\Bonjour
2008-12-17 00:26 . 2008-12-17 00:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 00:26 . 2008-12-17 00:26 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2008-12-17 00:26 . 2008-12-17 00:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 00:26 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-17 00:26 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-16 13:47 . 2008-12-16 13:47 <DIR> d-------- c:\program files\Trend Micro
2008-12-16 13:21 . 2008-12-16 13:32 <DIR> d-------- C:\fixwareout
2008-12-14 21:24 . 2008-12-14 21:24 308,024 --a------ C:\st01.lbm
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-11-29 19:36 . 2008-11-29 19:36 308,024 --a------ C:\st00.lbm
2008-11-29 16:39 . 2008-11-29 16:39 <DIR> d-------- C:\Sanitarium
2008-11-27 15:42 . 2008-11-27 15:42 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-26 14:59 . 2008-11-26 14:59 <DIR> d-------- c:\program files\iTunes
2008-11-26 14:59 . 2008-11-26 14:59 <DIR> d-------- c:\program files\iPod
2008-11-26 14:59 . 2008-11-26 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 14:57 . 2008-11-26 14:57 <DIR> d-------- c:\program files\QuickTime
2008-11-20 20:44 . 2008-11-20 20:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-20 19:38 . 2008-11-20 19:38 <DIR> d-------- c:\windows\system32\AGEIA
2008-11-20 19:38 . 2008-11-20 19:38 <DIR> d-------- c:\program files\AGEIA Technologies
2008-11-20 19:38 . 2008-12-18 13:43 203,188 --a------ c:\windows\system32\nvapps.xml
2008-11-20 19:37 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.exe
2008-11-20 19:37 . 2008-11-12 14:54 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-11-20 19:37 . 2008-11-12 14:54 18,537 --a------ c:\windows\system32\nvdisp.nvu
2008-11-20 14:22 . 2008-11-20 14:22 <DIR> d-------- c:\program files\Driver Sweeper
2008-11-20 14:10 . 2008-11-20 19:42 1,324 --a------ c:\windows\system32\d3d9caps.dat
2008-11-20 14:09 . 2008-11-20 14:09 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-20 13:56 . 2008-11-20 13:56 <DIR> d-------- c:\windows\Logs
2008-11-20 13:55 . 2008-11-20 14:04 <DIR> d-------- c:\program files\Vtune
2008-11-20 13:55 . 2008-11-20 14:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-20 13:55 . 2007-03-16 10:11 12,256 --a------ c:\windows\system32\drivers\TBPanel.sys.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 00:10 --------- d-----w c:\program files\Steam
2008-12-17 17:28 --------- d-----w c:\program files\Ichor
2008-12-17 16:07 --------- d-----w c:\documents and settings\All Users\Application Data\Zultrax P2P
2008-12-16 12:48 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HP
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-03 02:06 --------- d-----w c:\program files\BitComet
2008-12-03 01:31 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-03 00:35 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Xfire
2008-11-30 02:11 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-27 15:42 --------- d-----w c:\program files\Java
2008-11-27 15:14 --------- d-s---w c:\program files\Xfire
2008-11-26 14:59 --------- d-----w c:\program files\Common Files\Apple
2008-11-18 17:58 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-18 17:58 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\SystemRequirementsLab
2008-11-17 23:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-15 19:04 --------- d-----w c:\program files\Realtek
2008-11-15 16:52 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-11-12 17:02 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-11-10 23:25 --------- d-----w c:\program files\DivX
2008-11-05 13:44 --------- d-----w c:\program files\Tiscali
2008-10-31 11:38 4,942,336 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2008-10-28 17:18 17,331,200 ----a-w c:\windows\RTHDCPL.exe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-18 19:26 --------- d-----w c:\program files\Super Mario World
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-13 09:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-10-02 18:44 5,384,109 -c--a-w c:\documents and settings\HP_Administrator\Application Data\consoleclassixsetup.exe
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-30 16:38 2,168,320 ----a-w c:\windows\MicCal.exe
2008-09-24 20:26 61,440 -c--a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2008-09-24 20:26 45,056 -c--a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2008-09-24 20:26 44,032 -c--a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2008-09-24 20:26 40,960 -c--a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2008-09-24 20:26 341,048 -c--a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2008-09-24 20:26 32,768 -c--a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2008-09-24 20:26 32,768 -c--a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2008-09-24 20:26 217,088 -c--a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2008-09-24 20:26 163,840 -c--a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2007-12-31 16:11 22,328 -c--a-w c:\documents and settings\HP_Administrator\Application Data\PnkBstrK.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"TBPanel"="c:\program files\Vtune\TBPanel.exe" [2008-07-10 2154496][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.exe" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-27 136600]
"LVCOMSX"="c:\windows\system32\LVCOMSX.exe" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-02 180269]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"bcmwltry"="bcmwltry.exe" [2003-01-13 c:\windows\system32\bcmwltry.exe]
"removecpl"="RemoveCpl.exe" [2003-01-15 c:\windows\system32\RemoveCpl.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 c:\windows\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2008-06-19 c:\windows\ALCMTR.EXE]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-05-28 450560]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.exe [2000-01-21 65588][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Zultrax P2P\\Zultrax.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Steam\\steamapps\\bowker\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12786:TCP"= 12786:TCP:BitComet 12786 TCP
"12786:UDP"= 12786:UDP:BitComet 12786 UDPR1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-01 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-08-01 20560]
S3 bfastfao;bfastfao;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bfastfao.sys []
S3 ENDETECT;ENDETECT;\??\e:\release\ENDETECT.SYS []
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s115obex.sys [2007-04-23 98568]
S3 TAPBIND;TAPBIND;\??\e:\release\TAPBIND1.SYS []*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]2008-12-18 c:\windows\Tasks\HPpromotions journeysoftware.job
- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 17:36]
.
- - - - ORPHANS REMOVED - - - -HKCU-Run-oshark - c:\program files\OrangeShark\OrangeShark.exe
HKLM-Run-PC Pitstop Optimize Reminder - c:\program files\PCPitstop\Optimize2\Reminder.exe
HKLM-Run-PCDrProfiler - (no file)
MSConfigStartUp-lphcjeej0eaco - c:\windows\system32\lphcjeej0eaco.exe
MSConfigStartUp-SMrhcneej0eaco - c:\program files\rhcneej0eaco\rhcneej0eaco.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.co.uk/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oom29x9m.default\
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll[color=red]ATTENTION: FIREFOX POLICES IS IN FORCE [/color]
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 14:26:36
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-12-18 14:27:59
ComboFix-quarantined-files.txt 2008-12-18 14:27:32Pre-Run: 112,685,506,560 bytes free
Post-Run: 113,079,156,736 bytes free245 --- E O F --- 2008-12-18 02:59:48
0
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Run an online scan with Kaspersky from the following link:
Kaspersky Online ScannerNote: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
0
Messed up first scan, so did a scan of 'critical areas'. Both turned up one result, so I assume they were the same.
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 18, 2008 13:23:16
Records in database: 1476560
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 100715
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:06:50File name Threat name Threats count
C:\Program Files\Online Services\BTYahoo\HPPre05.msi Infected: not-a-virus:Dialer.Win32.BT.g 1
The selected area was scanned.I'll do another full scan tonight and post it to make sure.
0
That looks like a false positive to me.
You computer appears to be clean
Navigate to and delete this folder:
C:\SDFix
Delete HostXpert from your desktop.
Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.
Go to start> control panel> add/remove programs and uninstall these programs:
Hijack This
Malwarebytes
Kaspersky
You should keep AFT Cleaner and run it weekly.
You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link SpywareblasterJust download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
How is the computer operating?
0
Messed up first scan, so did a scan of 'critical areas'. Both turned up one result, so I assume they were the same.
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 18, 2008 13:23:16
Records in database: 1476560
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 100715
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:06:50File name Threat name Threats count
C:\Program Files\Online Services\BTYahoo\HPPre05.msi Infected: not-a-virus:Dialer.Win32.BT.g 1
The selected area was scanned.I'll do another full scan tonight and post it to make sure.
0
Yeh pc is good. Startup is faster even than before the virus and of course no google or link problems.
Couldn't find Kaspersky in add/remove, but I suppose that isnt a problem.
If you have any tips on pc maintainance I would appreciate it. There are so many programs to protect from viruses etc, and to clean drivers, registry etc. that I never really know what is useful. Recently changed McAfee for Avast! (cos it was free) but then didnt have any spyware protection (untill the one you just recommended).
Thanks so much for all your help :)
0
That was probably a good idea to go to avast, the big guy's antivirus programs want to attach themselves to everything in the computer and use a lot of resources.
There are many free good antispyware programs Spywareblaster is one of the better ones.
If you don't use a firewall you need one although they can be aggrevating. I think Kerio and zonealarm have free ones.
0
I just have the windows firewall, which I thought would be ok.
Thanks one last time for all your help. Never thought responses would be so quick :)
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
