Google Redirecting Me?

[MrPokeahole]

I have recently acquired the google redirect virus. I was trying to download a game, but some of the files I needed AVG detected was infected, however, I don't know if they have been removed. I looked around for some resolutions, and followed part of your guides on 2 different threads that you had help resolved. I followed the tutorials with SUPERAntiSpyware and Malwarebytes, however, I am now up to the ComboFix part and I have no idea what I'm doing with it :P

 

Could you please help me out here?

 

P.S. I first noticed it when my dad asked me to look something up about 2 hours later, it was redirecting me to a link that said "cpcadnet". It appeared to be gone after I followed part of your guide, but it was still there when I was browsing later that night.

[Superdave]

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.

 

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

 

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

*******************************************

SUPERAntiSpyware

 

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

 

Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.

 

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

 

•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

•Please leave the others unchecked

 

•Click the Close button to leave the control center screen.

 

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

 

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

 

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

 

•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

 

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.

*****************************************

 

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.

Extra Note:

 

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

***********************************************

Download DDS from HERE or HERE and save it to your desktop.

 

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

 

* XP users Double click on dds to run it.

* If your antivirus or firewall try to block DDS then please allow it to run.

* When finished DDS will open two (2) logs.

 

1) DDS.txt

2) Attach.txt

 

* Save both logs to your desktop.

* Please copy and paste the entire contents of both logs in your next reply.

 

Note: DDS will instruct you to post the Attach.txt log as an attachment.

Please just post it as you would any other log by copy and pasting it into the reply.

[MrPokeahole]

Logs

 

Sorry, all the logs are in this txt file.

Logs.txt

[Superdave]

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory..

[MrPokeahole]

Logs

 

I scanned and then rebooted, then clicked report after it rebooted. the one that says 10:25 is before i rebooted, the one at 10:29 was after i rebooted.

TDSSKiller.2.4.21.0_28.04.2011_10.25.06_log.txt

TDSSKiller.2.4.21.0_28.04.2011_10.29.17_log.txt

[Superdave]

Please copy and paste your logs in your replies.

 

Please download ComboFix http://img7.imageshack.us/img7/4930/combofix.gif from BleepingComputer.com

 

Alternate link: GeeksToGo.com

 

and save it to your Desktop.

It would be easiest to download using Internet Explorer.

If you insist on using Firefox, make sure that your download settings are as follows:

 

* Tools->Options->Main tab

* Set to "Always ask me where to Save the files".

 

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here

Double click ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif

 

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

 

If you have problems with ComboFix usage, see How to use ComboFix

[MrPokeahole]

Log and False Postive.

 

ComboFix has deleted Steam.exe, as indicated below. But Steam.exe is not malware/spyware. It is a program designed to host games made from the company Valve (i.e. Half-Life 2, Portal, Counter-Strike: Source).

 

I installed it yesterday, and it has deleted the exe file!

 

Not happy with that. But heres the log anyway.

 

ComboFix 11-04-28.01 - Anthony 29/04/2011 8:16.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1261 [GMT 9.5:30]

Running from: c:\documents and settings\Anthony\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Anthony\WINDOWS

c:\program files\Steam\Steam.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 )))))))))))))))))))))))))))))))

.

.

2011-04-28 09:03 . 2011-04-28 09:03 -------- d-----w- c:\program files\Telstra

2011-04-28 09:03 . 2011-04-28 09:05 -------- d-----w- c:\documents and settings\Anthony\Application Data\Sierra Wireless

2011-04-28 09:03 . 2011-04-28 09:03 -------- d-----w- c:\program files\Sierra Wireless Inc

2011-04-28 09:03 . 2011-04-28 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Sierra Wireless

2011-04-28 07:59 . 2004-01-21 13:33 1474628 ----a-w- c:\windows\system32\STEAMUI.dll

2011-04-28 07:59 . 2004-01-21 13:33 3461120 ----a-w- c:\windows\system32\Steam.dll

2011-04-28 07:09 . 2011-04-28 22:49 -------- d-----w- c:\program files\Steam

2011-04-27 10:25 . 2011-04-27 10:25 -------- d-----w- c:\documents and settings\Anthony\Application Data\AnvSoft

2011-04-27 10:25 . 2011-04-27 10:25 -------- d-----w- c:\program files\AnvSoft

2011-04-27 06:57 . 2011-04-27 06:57 -------- d-----w- c:\program files\Common Files\Steam

2011-04-26 07:37 . 2011-04-26 07:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-04-26 07:34 . 2011-04-26 07:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2011-04-26 04:06 . 2011-04-26 04:06 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2011-04-26 04:00 . 2011-04-26 04:00 -------- d-----w- c:\documents and settings\Anthony\Application Data\SUPERAntiSpyware.com

2011-04-26 04:00 . 2011-04-26 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-04-26 03:59 . 2011-04-26 04:00 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-26 00:35 . 2011-04-26 00:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-04-25 07:17 . 2011-04-25 07:17 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\CrashRpt

2011-04-25 07:17 . 2011-04-25 23:22 -------- d-----w- c:\program files\Livestream Procaster

2011-04-25 07:17 . 2011-04-25 07:17 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\Procaster

2011-04-24 06:44 . 2011-04-25 07:11 -------- d-----w- c:\windows\OvtCam

2011-04-23 05:37 . 2011-04-28 22:52 -------- d-----w- c:\documents and settings\Anthony\Application Data\Dropbox

2011-04-17 04:43 . 2011-04-17 04:43 -------- d-----w- c:\program files\Common Files\Adobe

2011-04-13 18:09 . 2011-04-13 18:09 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2011-04-13 18:09 . 2011-04-13 18:09 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

2011-04-13 10:08 . 2011-04-13 10:12 -------- d-----w- c:\documents and settings\Anthony\Application Data\GetRightToGo

2011-04-13 09:35 . 2011-04-13 09:38 -------- d-----w- c:\program files\PFConfig

2011-04-13 08:02 . 2011-04-13 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\TorrentEasy

2011-04-10 06:04 . 2011-04-28 09:17 -------- d-----w- c:\documents and settings\Anthony\Application Data\skypePM

2011-04-10 06:04 . 2011-04-25 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras

2011-04-10 06:04 . 2011-04-28 22:52 -------- d-----w- c:\documents and settings\Anthony\Application Data\Skype

2011-04-10 06:02 . 2011-04-10 06:02 -------- d-----w- c:\program files\Common Files\Skype

2011-04-10 06:02 . 2011-04-10 06:03 -------- d-----r- c:\program files\Skype

2011-04-10 06:02 . 2011-04-10 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2011-04-10 04:25 . 2011-04-13 10:15 -------- d-----w- c:\documents and settings\Anthony\Application Data\uTorrent

2011-04-05 07:28 . 2011-04-05 07:28 -------- d-----w- c:\program files\Free M4a to MP3 Converter

2011-03-31 08:08 . 2011-03-31 08:08 -------- d-----w- c:\program files\JoyToKey

2011-03-31 07:46 . 2011-03-31 07:46 -------- d-----w- c:\documents and settings\Anthony\Application Data\fofix

2011-03-31 07:30 . 2011-03-31 07:31 -------- d-----w- c:\documents and settings\Anthony\.lilypond-fonts.cache-2

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-29 06:04 . 2011-03-29 06:04 40960 ----a-r- c:\documents and settings\Anthony\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe

2011-03-29 06:04 . 2011-03-29 06:04 40960 ----a-r- c:\documents and settings\Anthony\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe

2011-03-21 08:32 . 2011-03-21 08:32 45056 ----a-r- c:\documents and settings\Anthony\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe

2011-03-13 22:19 . 2011-03-13 22:19 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-13 22:19 . 2011-03-13 22:19 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-07 05:33 . 2011-02-18 11:42 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2008-04-14 07:00 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2008-04-14 07:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06 . 2008-04-14 07:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2008-04-14 07:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2008-04-14 07:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41 . 2008-04-14 07:00 385024 ----a-w- c:\windows\system32\html.iec

2011-02-19 03:49 . 2008-10-22 15:28 87280 ----a-w- c:\windows\system32\bcmwlcoi.dll

2011-02-19 03:49 . 2008-10-22 15:28 1391104 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS

2011-02-18 12:20 . 2011-02-18 12:20 45056 ----a-r- c:\documents and settings\Anthony\Application Data\Microsoft\Installer\{CDA1ADA3-BBB4-4250-B272-AC21C78C3968}\NewShortcut2_DF0CCA89BE294B7D9A229DB872E01239.exe

2011-02-18 12:20 . 2011-02-18 12:20 40960 ----a-r- c:\documents and settings\Anthony\Application Data\Microsoft\Installer\{CDA1ADA3-BBB4-4250-B272-AC21C78C3968}\NewShortcut8_DF0CCA89BE294B7D9A229DB872E01239.exe

2011-02-18 06:06 . 2011-02-27 03:21 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-02-18 06:06 . 2011-02-27 03:21 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-02-17 13:18 . 2008-04-14 07:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2008-04-14 07:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2011-02-18 23:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2008-04-14 07:00 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2008-04-14 07:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-14 07:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33 . 2008-04-14 07:00 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33 . 2008-04-14 07:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2011-02-02 07:58 . 2011-02-18 11:40 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-03-18 17:53 . 2011-03-25 07:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Anthony\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Anthony\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Anthony\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Anthony\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"\\DONATO-PC\EPSON TX300F Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEJP.EXE" [2008-01-22 188928]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-01 15145352]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-13 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 142360]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-02-25 177456]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]

"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]

"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2009-08-07 354360]

"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2009-07-27 24848]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-01 421160]

"IntegardTray"="c:\program files\Integard\IntegardTray.exe" [2011-03-12 466944]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2010-08-05 570736]

"WatcherHelper"="c:\program files\Telstra\Telstra Connection Manager\WaHelper.exe" [2010-06-23 103792]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\Anthony\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Anthony\Application Data\Dropbox\bin\Dropbox.exe [2011-4-16 25351696]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2009-06-03 05:44 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2009-06-03 05:43 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]

2009-07-27 16:29 192784 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Integard\\Integard.exe"=

"c:\\Program Files\\Integard\\IntegardTray.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Anthony\\My Documents\\Downloads\\utorrent-1.6.exe"=

"c:\\Documents and Settings\\Anthony\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Steam\\bin\\SteamService.exe"=

.

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [29/07/2009 2:30 PM 109216]

R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [29/07/2009 2:30 PM 51408]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [29/07/2009 2:30 PM 12960]

R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [3/03/2011 3:41 PM 20088]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [29/07/2009 2:30 PM 12528]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [18/02/2010 3:55 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/05/2010 4:11 AM 67656]

R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [3/06/2009 3:16 PM 207400]

R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [14/04/2008 4:30 PM 14336]

R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Bioscrypt [14/04/2008 4:30 PM 14336]

R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [29/07/2009 11:43 AM 1201400]

R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [7/08/2009 3:59 PM 45056]

R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [29/07/2009 2:28 PM 256544]

R2 IERA;Sierra Wireless Error Reporting Agent;c:\program files\Sierra Wireless Inc\IERA\IERA.exe [28/04/2011 6:33 PM 152432]

R2 INTEGARD;Integard Service;c:\program files\Integard\Integard.exe [12/03/2011 5:02 PM 937984]

R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\Sierra Wireless Inc\Common\SwiCardDetect.exe [30/08/2010 5:31 PM 218480]

R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [19/02/2011 2:44 PM 482176]

R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [18/02/2011 9:58 PM 193840]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [23/07/2008 10:31 AM 44800]

S0 cerc6;cerc6; [x]

S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [18/02/2011 9:49 PM 35072]

S3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\drivers\swiwdmbus.sys [21/06/2010 4:07 PM 78720]

S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [21/06/2010 3:46 PM 201088]

S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [21/06/2010 3:47 PM 156544]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Cognizance REG_MULTI_SZ ASBroker

Bioscrypt REG_MULTI_SZ ASChannel

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

LSP: c:\program files\Integard\Integard.dll

FF - ProfilePath - c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\vt8zfr4d.default\

FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Steam - c:\program files\Steam\Steam.exe

HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

SafeBoot-klmdb.sys

AddRemove-Steam App 400 - c:\program files\Steam\steam.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-29 08:21

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,10,7c,35,81,1e,52,4d,b6,70,e1,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,10,7c,35,81,1e,52,4d,b6,70,e1,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(988)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\program files\ActivIdentity\ActivClient\ackpbsc.dll

c:\program files\ActivIdentity\ActivClient\aclog.dll

c:\program files\ActivIdentity\ActivClient\accrypto.dll

c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL

c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

c:\program files\Hewlett-Packard\IAM\bin\itmsg.dll

c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll

c:\program files\Hewlett-Packard\IAM\bin\brand.dll

c:\program files\Hewlett-Packard\IAM\Bin\AsChnl.dll

c:\program files\Hewlett-Packard\IAM\Bin\HPPlugIn.dll

c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHostServices.dll

c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTStrings.dll

c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll

c:\program files\Hewlett-Packard\IAM\Bin\ItClient.dll

c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL

c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll

c:\program files\Hewlett-Packard\IAM\Bin\STEngine.dll

c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTHstServsLib.dll

c:\program files\Integard\Integard.dll

c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll

c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\program files\ActivIdentity\ActivClient\aipingui.dll

c:\program files\ActivIdentity\ActivClient\acevtsub.dll

c:\program files\ActivIdentity\ActivClient\asphat32.dll

c:\program files\ActivIdentity\ActivClient\acerrmes.dll

c:\program files\ActivIdentity\ActivClient\aiwinext.dll

c:\program files\ActivIdentity\ActivClient\aspcom.dll

c:\program files\ActivIdentity\ActivClient\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll

.

- - - - - - - > 'lsass.exe'(1044)

c:\program files\Integard\Integard.dll

.

- - - - - - - > 'explorer.exe'(2412)

c:\windows\system32\WININET.dll

c:\program files\Hewlett-Packard\IAM\Bin\APSHook.dll

c:\documents and settings\Anthony\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Synaptics\SynTP\SynTPEnh.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

c:\program files\Hewlett-Packard\Shared\hpqToaster.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2011-04-29 08:25:50 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-28 22:55

.

Pre-Run: 92,269,617,152 bytes free

Post-Run: 93,709,910,016 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 500F72537D444FF42C7A0A2D53AAF48B

[Superdave]

I installed it yesterday, and it has deleted the exe file!

There might have been something wrong with the file. There are two malware programs that run under the same name. Wait until we're finished cleaning and re-install it.

 

SysProt Antirootkit

 

Download

SysProt Antirootkit from the link below (you will find it at the bottom

of the page under attachments, or you can get it from one of the

mirrors).

 

http://sites.google.com/site/sysprotantirootkit/

 

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    

  [*]At the bottom of the page

  • Hidden Objects Only << Selected
    

  [*]Click on the Create Log button on the bottom right.

  [*]After a few seconds a new window should appear.

  [*]Select Scan Root Drive. Click on the Start button.

  [*]When it is complete a new window will appear to indicate that the scan is finished.

  [*]The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[MrPokeahole]

Whoops and Log.

 

Oh ok, whoops. I re-installed the program :P. Do you want me to uninstall it?

 

Log:

 

SysProt AntiRootkit v1.0.1.0

by swatkat

 

******************************************************************************************

******************************************************************************************

 

No Hidden Processes found

 

******************************************************************************************

******************************************************************************************

Kernel Modules:

Module Name: \SystemRoot\System32\Drivers\dump_iastor.sys

Service Name: ---

Module Base: 99653000

Module End: 9972D000

Hidden: Yes

 

******************************************************************************************

******************************************************************************************

SSDT:

Function Name: ZwOpenProcess

Address: BA3C9738

Driver Base: BA3C8000

Driver End: BA3CD000

Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

 

Function Name: ZwTerminateProcess

Address: BA3C97DC

Driver Base: BA3C8000

Driver End: BA3CD000

Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

 

Function Name: ZwTerminateThread

Address: BA3C9878

Driver Base: BA3C8000

Driver End: BA3CD000

Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

 

Function Name: ZwWriteVirtualMemory

Address: BA3C9914

Driver Base: BA3C8000

Driver End: BA3CD000

Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

 

******************************************************************************************

******************************************************************************************

No Kernel Hooks found

 

******************************************************************************************

******************************************************************************************

Hidden files/folders:

Object: C:\Qoobox\BackEnv\AppData.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Cache.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Cookies.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Desktop.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Favorites.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\History.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Music.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\NetHood.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Personal.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Pictures.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Programs.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Recent.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\SendTo.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\SetPath.bat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\StartUp.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\SysPath.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Templates.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\VikPev00

Status: Access denied

[Superdave]

Do you want me to uninstall it?

No.

 

ESET Online Scan

 

Scan your computer with the ESET FREE Online Virus Scan

 

* Click the ESET Online Scanner button.

 

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

 

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

 

In your next reply please include the ESET Online Scan Log

[MrPokeahole]

ESETScan Log

 

C:\Documents and Settings\All Users\Application Data\TorrentEasy\extensions.exe a variant of Win32/Adware.GoodMedia.C application cleaned by deleting - quarantined

C:\System Volume Information\_restore{99993E00-938C-42CB-A06C-6E3080CE6690}\RP87\A0016469.exe a variant of Win32/Adware.GoodMedia.C application cleaned by deleting - quarantined

[Superdave]

That looks good. How's your computer running? Any more redirects?

[MrPokeahole]

:D

 

Dude, thankyou so much, no more redirects at all. Thanks again! :mrgreen:

[Superdave]

That's good. Let's do some cleanup and we'll be finished. You can keep SAS and MBAM, if you wish. Update them and run them on a regular basis to keep the bugs out. You can delete TDSSKiller from your desktop.

 

To uninstall ComboFix

 

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

 

http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg

 

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

 

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

***************************************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

 

Double-click TFC.exe to run it.

 

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

 

TFC will close all programs when run, so make sure you have saved all your work before you begin.

 

* Click the Start button to begin the cleaning process.

* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.

* Please let TFC run uninterrupted until it is finished.

 

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

**************************************************

Looking over your log it seems you don't have any evidence of a third party firewall.

 

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

 

Remember only install ONE firewall

 

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)

2) Online Armor

3) Agnitum Outpost

4) PC Tools Firewall Plus

 

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

***************************************************

You can uninstall/delete any other programs that we used.

 

Use the Secunia Software Inspector to check for out of date software.

 

•Click Start Now

 

•Check the box next to Enable thorough system inspection.

 

•Click Start

 

•Allow the scan to finish and scroll down to see if any updates are needed.

•Update anything listed.

.

----------

 

Go to Microsoft Windows Update and get all critical updates.

 

----------

 

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

* Using SpywareBlaster to protect your computer from Spyware and Malware

* If you don't know what ActiveX controls are, see here

 

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

 

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

 

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

Safe Surfing!

[MrPokeahole]

sadfkhalsf

 

Thanks man!

[Superdave]

You're welcome. Stay safe.

[enoskype]

I would appreciate if IS360 is used with the latest updated database to check and report be posted to see if there is any false positive.

 

Thank you.