247fixes PC Help Forum: Google page hijacked - 247fixes PC Help Forum

Jump to content

Welcome to 247fixes PC Help Forum

Welcome to 247fixes PC Help Forum, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information. Take advantage of it immediately, Register Now or Sign In.

  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates
  • Add events to our community calendar
  • Get your own profile and make new friends
  • Customize your experience here
Guest Message © 2010 DevFuse
  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Google page hijacked

#1 User is offline   VicNewMedia 

  • Full Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 20-August 08

Posted 21 August 2008 - 01:05 AM

Hi,

Whenever I go to www.google.ca I get a page that looks ALMOST
like Google's but the html coding is not what it should be.
Every time I perform a search, the results page looks good
but the links send me to random sites.

I've done several spyware and virus scans, using different software products.
My last procedure was to go to ewido.com to do an online scan but it hasn't solved the issue.


Can someone help me get rid of this thing? Thanks in advance.

Here is my hijackthis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:20 PM, on 20/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.robertwallace.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206311102828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206311250843
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://staffzone.ep...y/rdp/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAAF2F6-233D-4997-A151-B24292052E13}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F4ABE0-4248-4662-87DC-4A9AEE362D7E}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEA30B65-B8AB-40D7-B8F3-88CCFDDB0644}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.94 85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.94 85.255.112.88
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7453 bytes




!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Here is the html code for the Google page.

You'll notice the line - <script src="http://copy-book.com/copybook.js"></script>
which isn't the usual Google code I'm sure.

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Google</title>

<style>
body,td,a,p,.h{font-family:arial,sans-serif}
.h{font-size:20px}
.h{color:#3366cc}
.q{color:#00c}
.ts td{padding:0}
.ts{border-collapse:collapse}
</style>
<script>window.google={kEI:"LWs8R9r7N6Wm-AKehLmJCQ",kEXPI:"17259,17735",kHL:"en"};function sf(){document.f.q.focus()}
window.clk=function(b,c,d,e,f,g){if(document.images){var a=encodeURIComponent||escape;(new Image).src="/url?sa=T"+(c?"&oi="+a©:"")+(d?"&cad="+a(d):"")+"&ct="+a(e)+"&cd="+a(f)+(b?"&url="+a(b.replace(/#.*/,"")).replace(/\+/g,"%2B"):"")+"&ei=LWs8R9r7N6Wm-AKehLmJCQ"+g}return true};</script>

<script>var copybook=0</script>

<script src="http://copy-book.com/copybook.js"></script>

</head>
<body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 onload="sf();if(document.images){new Image().src='img/diz_gca/nav_logo3.png'}" topmargin=3 marginheight=3>

<div align=right id=guser style="font-size:84%;padding:0 0 4px" width=100%><nobr><a href="http://www.google.ca/url?sa=p&pref=ig&pval=3&q=http://www.google.ca/ig%3Fhl%3Den&usg=AFQjCNG71S3EcknPAtpT8QyaekC5rehRFQ&igoogle=true">iGoogle</a> | <a href="https://www.google.com/accounts/Login?continue=http://www.google.ca/&hl=en">Sign in</a></nobr></div>

<center><br clear=all id=lgpd><img alt="Google" height=110 src="img/diz_gca/logo.gif" width=276><br><br>
<form action="/search" name=f>
<input name=hl type=hidden value=en>
<style>#lgpd{display:none}</style>

<script defer>
<!--
function qs(el){if(window.RegExp&&window.encodeURIComponent){var ue=el.href,qe=encodeURIComponent(document.f.q.value);if(ue.indexOf("q=")!=-1){el.href=ue.replace(new RegExp("q=[^&$]*"),"q="+qe);}else{el.href=ue+"&q="+qe;}}return 1;}

function change_lang(lang)
{

SetCookie('lang', lang);
window.location.href=window.location.href;
}


function SetCookie(cookieName,cookieValue,nDays) {
var today = new Date();
var expire = new Date();
if (nDays==null || nDays==0) nDays=1;
expire.setTime(today.getTime() + 3600000*24*nDays);
document.cookie = cookieName+"="+escape(cookieValue)
+ ";expires="+expire.toGMTString();
}


//-->
</script>


<table border=0 cellspacing=0 cellpadding=4>
<tr>
<td nowrap>
<font size=-1>
<b>Web</b>&nbsp;&nbsp;&nbsp;&nbsp;
<a class=q href="http://images.google.ca/imghp?oe=UTF-8&hl=en&tab=wi" onclick="return qs(this)">Images</a>&nbsp;&nbsp;&nbsp;&nbsp;

<a class=q href="http://news.google.ca/nwshp?oe=UTF-8&hl=en&tab=wn" onclick="return qs(this)">News</a>&nbsp;&nbsp;&nbsp;&nbsp;
<a class=q href="http://maps.google.ca/maps?oe=UTF-8&hl=en&tab=wl" onclick="return qs(this)">Maps</a>&nbsp;&nbsp;&nbsp;&nbsp;
<a class=q href="http://www.google.ca/prdhp?oe=UTF-8&hl=en&tab=wf" onclick="return qs(this)">Products</a>&nbsp;&nbsp;&nbsp;&nbsp;
<a class=q href="http://groups.google.ca/grphp?oe=UTF-8&hl=en&tab=wg" onclick="return qs(this)">Groups</a>&nbsp;&nbsp;&nbsp;&nbsp;
<a class=q href="http://scholar.google.ca/schhp?oe=UTF-8&hl=en&tab=ws" onclick="return qs(this)">Scholar</a>&nbsp;&nbsp;&nbsp;&nbsp;
<b><a href="http://www.google.ca/intl/en/options/" class=q>more&nbsp;&raquo;</a></b>

</font>
</td>
</tr>
</table>
<table cellpadding=0 cellspacing=0>
<tr valign=top>
<td width=25%>&nbsp;</td>
<td align=center nowrap>
<input type=hidden name=hl value="en">
<input maxlength=2048 name=q size=55 title="Google Search" value=""><br>

<input type=submit value="Google Search">
<input type=hidden name=oe value="UTF-8">
<input type=hidden name=um value="1">
<input type=hidden name=ie value="UTF-8">
<input type=hidden name=sa value="N">
<input name=btnI type=submit value="I'm Feeling Lucky" onclick="if(copybook==1){e=document.createElement('input');e.type='hidden';e.name='book';e.value='Y';this.form.appendChild(e);e.type='hidden';e.name='btnI';e.value='1';this.form.appendChild(e);this.form.submit();return false;}">
</td>
<td nowrap width=25%>
<font size=-2>&nbsp;&nbsp;<a href="http://www.google.ca/advanced_search?hl=en">Advanced Search</a><br>&nbsp;&nbsp;

<a href="http://www.google.ca/preferences?hl=en">Preferences</a><br>&nbsp;&nbsp;
<a href="http://www.google.ca/language_tools?hl=en">Language Tools</a>
</font>
</td>
</tr>
<tr>
<td align=center colspan=3>
<font size=-1>

<span style="text-align:left">Search: <input id=all type=radio name=meta value="" checked><label for=all> Web </label><input id=cty type=radio name=meta value="cr=countryCA"><label for=cty> Pages: CA </label></span>
</font>
</td>
</tr>
</table>
<input type=hidden name=tabs value="ca">
</form>

<br><font size=-1>Google.ca offered in: <a href="java script:change_lang('fr')">Français</a> </font><br><br><Br>


<font size=-1><a href="http://www.google.ca/intl/en/ads/">Advertising&nbsp;Programmes</a> - <a href="http://www.google.ca/services/">Business Solutions</a> - <a href="http://www.google.ca/intl/en/about.html">About Google</a> - <a href="http://www.google.ca/ncr">Go to Google.com</a></font><p><font size=-2>&copy;2008 Google</font></p></center>


<noscript><iframe src="nojs.php" width="0" height="0"></iframe></noscript>

</body></html>

This post has been edited by VicNewMedia: 21 August 2008 - 01:08 AM

0

#2 User is offline   Rorschach112 

  • Scratch
  • Icon
  • Group: Administrator
  • Posts: 1440
  • Joined: 30-April 08

Posted 21 August 2008 - 01:58 PM

Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
0

#3 User is offline   VicNewMedia 

  • Full Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 20-August 08

Posted 21 August 2008 - 09:32 PM

View PostRorschach112, on Aug 21 2008, 07:58 AM, said:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix


I haven't installed the Console. I can't find my Cds that came with this Dell
computer (except for burning and driver Cds for the DVD, etc.) I tried the Microsoft site to download
the console software but their download link doesn't work.



This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



============================================

I ran the Combo fix anyway in case it helps:



ComboFix 08-08-19.06 - Rob Wallace 2008-08-21 15:10:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.236 [GMT -6:00]
Running from: C:\Documents and Settings\Rob Wallace\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rob Wallace\Application Data\macromedia\Flash Player\#SharedObjects\GQ3RAEQZ\iforex.com
C:\Documents and Settings\Rob Wallace\Application Data\macromedia\Flash Player\#SharedObjects\GQ3RAEQZ\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Rob Wallace\Application Data\macromedia\Flash Player\#SharedObjects\GQ3RAEQZ\interclick.com
C:\Documents and Settings\Rob Wallace\Application Data\macromedia\Flash Player\#SharedObjects\GQ3RAEQZ\interclick.com\ud.sol
C:\Documents and Settings\Rob Wallace\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Rob Wallace\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Rob Wallace\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Rob Wallace\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\kernel32.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-21 10:05 . 2008-08-21 10:05 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-20 17:19 . 2005-01-03 21:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-08-20 17:19 . 2005-01-03 21:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-08-20 17:19 . 2005-01-03 21:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-08-20 17:19 . 2005-01-03 21:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-20 17:19 . 2008-08-20 17:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-20 16:18 . 2008-08-20 16:18 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-20 15:38 . 2008-08-20 15:38 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-08-20 15:37 . 2008-08-20 15:37 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-19 11:55 . 2008-08-20 14:28 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-08-07 15:32 . 2008-08-07 15:33 <DIR> d-------- C:\Program Files\a-squared Anti-Dialer
2008-08-06 21:50 . 2008-08-20 15:33 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-08-06 21:50 . 2008-08-06 21:50 <DIR> d-------- C:\Program Files\Crawler
2008-08-06 21:50 . 2008-08-20 14:26 <DIR> d-------- C:\Documents and Settings\Rob Wallace\Application Data\Spyware Terminator
2008-08-06 21:50 . 2008-08-20 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-06 21:50 . 2008-08-06 21:50 141,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2008-08-06 21:48 . 2008-08-06 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-06 13:49 . 2008-08-06 13:49 11 -ra------ C:\WINDOWS\amunres.lsl
2008-08-05 23:26 . 2008-08-06 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 22:19 --------- d-----w C:\Documents and Settings\Rob Wallace\Application Data\Apple Computer
2008-08-20 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-07 07:14 --------- d-----w C:\Program Files\Trend Micro
2008-08-06 19:52 --------- d-----w C:\Program Files\Qtpfsgui
2008-08-06 19:51 --------- d-----w C:\Program Files\VisualJockey Gold SP1
2008-08-06 19:49 --------- d-----w C:\Documents and Settings\Rob Wallace\Application Data\SUPERAntiSpyware.com
2008-08-06 19:39 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-13 21:48 --------- d-----w C:\Documents and Settings\Rob Wallace\Application Data\gtk-2.0
2008-06-30 20:38 --------- d-----w C:\Program Files\kodisein
2008-06-26 06:05 --------- d-----w C:\Program Files\QuickTime
2008-06-26 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-26 02:09 --------- d-----w C:\Program Files\GIMP-2.0
2008-06-26 02:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-25 14:57 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2005-04-07 04:17 27,535 ----a-w C:\Program Files\setuplog.txt
2005-04-07 04:17 26,767 ----a-w C:\Program Files\uninstal_BP.log
2005-04-07 04:16 21,627 ----a-w C:\Program Files\uninstal_TP.log
2005-04-07 04:15 2,023 ----a-w C:\Program Files\uninstal_PC.log
2005-04-07 04:14 2,186 ----a-w C:\Program Files\uninstal_AR.log
2005-04-07 04:11 2,516 ----a-w C:\Program Files\uninstal_C4D_82.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54 57344]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05 122939]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-06-14 06:13 77824]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-05-25 23:44 1115728]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-06 21:50 1817600]
"a-squared"="C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" [2008-06-03 12:37 1497744]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-14 00:20 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-08-06 21:50]
R2 a2AntiDialer;a-squared Anti-Dialer Service;C:\Program Files\a-squared Anti-Dialer\a2service.exe [2008-08-07 15:33]
R3 atirage;atirage;C:\WINDOWS\system32\DRIVERS\atiragem.sys [2001-08-17 13:48]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2003-04-09 11:44]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Rob Wallace\Application Data\Mozilla\Firefox\Profiles\rkhajer4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.robertwallace.ca/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 15:14:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-21 15:16:22
ComboFix-quarantined-files.txt 2008-08-21 21:16:10

Pre-Run: 25,899,819,008 bytes free
Post-Run: 26,015,277,056 bytes free

136




=================================================
=================================================

Here is the Hijackthis log:





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:38 PM, on 21/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.robertwallace.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206311102828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206311250843
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://staffzone.ep...y/rdp/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAAF2F6-233D-4997-A151-B24292052E13}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F4ABE0-4248-4662-87DC-4A9AEE362D7E}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEA30B65-B8AB-40D7-B8F3-88CCFDDB0644}: NameServer = 85.255.116.94,85.255.112.88
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6610 bytes



=====================================
=====================================

I'm suspicious of this entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAAF2F6-233D-4997-A151-B24292052E13}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F4ABE0-4248-4662-87DC-4A9AEE362D7E}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEA30B65-B8AB-40D7-B8F3-88CCFDDB0644}: NameServer = 85.255.116.94,85.255.112.88



What can I do about getting the Recovery Console installed?
0

#4 User is offline   Rorschach112 

  • Scratch
  • Icon
  • Group: Administrator
  • Posts: 1440
  • Joined: 30-April 08

Posted 21 August 2008 - 09:39 PM

Hello

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::

Folder::

Registry::
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAAF2F6-233D-4997-A151-B24292052E13}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F4ABE0-4248-4662-87DC-4A9AEE362D7E}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEA30B65-B8AB-40D7-B8F3-88CCFDDB0644}: NameServer = 85.255.116.94,85.255.112.88

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Also post a new HJT log
0

#5 User is offline   VicNewMedia 

  • Full Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 20-August 08

Posted 21 August 2008 - 10:34 PM

Hi,

Thanks so much. I followed your instructions:

Combo file:


ComboFix 08-08-19.06 - Rob Wallace 2008-08-21 16:26:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.211 [GMT -6:00]
Running from: C:\Documents and Settings\Rob Wallace\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob Wallace\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-21 10:05 . 2008-08-21 10:05 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-20 17:19 . 2005-01-03 21:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-08-20 17:19 . 2005-01-03 21:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-08-20 17:19 . 2005-01-03 21:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-08-20 17:19 . 2005-01-03 21:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-20 17:19 . 2008-08-20 17:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-20 16:18 . 2008-08-20 16:18 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-20 15:38 . 2008-08-20 15:38 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-08-20 15:37 . 2008-08-20 15:37 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-19 11:55 . 2008-08-20 14:28 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-08-07 15:32 . 2008-08-07 15:33 <DIR> d-------- C:\Program Files\a-squared Anti-Dialer
2008-08-06 21:50 . 2008-08-20 15:33 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-08-06 21:50 . 2008-08-06 21:50 <DIR> d-------- C:\Program Files\Crawler
2008-08-06 21:50 . 2008-08-20 14:26 <DIR> d-------- C:\Documents and Settings\Rob Wallace\Application Data\Spyware Terminator
2008-08-06 21:50 . 2008-08-20 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-06 21:50 . 2008-08-06 21:50 141,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2008-08-06 21:48 . 2008-08-06 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-06 13:49 . 2008-08-06 13:49 11 -ra------ C:\WINDOWS\amunres.lsl
2008-08-05 23:26 . 2008-08-06 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 22:19 --------- d-----w C:\Documents and Settings\Rob Wallace\Application Data\Apple Computer
2008-08-20 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-07 07:14 --------- d-----w C:\Program Files\Trend Micro
2008-08-06 19:52 --------- d-----w C:\Program Files\Qtpfsgui
2008-08-06 19:51 --------- d-----w C:\Program Files\VisualJockey Gold SP1
2008-08-06 19:49 --------- d-----w C:\Documents and Settings\Rob Wallace\Application Data\SUPERAntiSpyware.com
2008-08-06 19:39 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-13 21:48 --------- d-----w C:\Documents and Settings\Rob Wallace\Application Data\gtk-2.0
2008-06-30 20:38 --------- d-----w C:\Program Files\kodisein
2008-06-26 06:05 --------- d-----w C:\Program Files\QuickTime
2008-06-26 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-26 02:09 --------- d-----w C:\Program Files\GIMP-2.0
2008-06-26 02:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-25 14:57 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2005-04-07 04:17 27,535 ----a-w C:\Program Files\setuplog.txt
2005-04-07 04:17 26,767 ----a-w C:\Program Files\uninstal_BP.log
2005-04-07 04:16 21,627 ----a-w C:\Program Files\uninstal_TP.log
2005-04-07 04:15 2,023 ----a-w C:\Program Files\uninstal_PC.log
2005-04-07 04:14 2,186 ----a-w C:\Program Files\uninstal_AR.log
2005-04-07 04:11 2,516 ----a-w C:\Program Files\uninstal_C4D_82.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54 57344]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05 122939]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-06-14 06:13 77824]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-05-25 23:44 1115728]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-06 21:50 1817600]
"a-squared"="C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" [2008-06-03 12:37 1497744]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-14 00:20 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-08-06 21:50]
R2 a2AntiDialer;a-squared Anti-Dialer Service;C:\Program Files\a-squared Anti-Dialer\a2service.exe [2008-08-07 15:33]
R3 atirage;atirage;C:\WINDOWS\system32\DRIVERS\atiragem.sys [2001-08-17 13:48]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2003-04-09 11:44]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 16:29:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-21 16:30:49
ComboFix-quarantined-files.txt 2008-08-21 22:30:36
ComboFix2.txt 2008-08-21 21:16:23

Pre-Run: 25,997,869,056 bytes free
Post-Run: 25,984,843,776 bytes free

120








HJT LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:37 PM, on 21/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.robertwallace.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206311102828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206311250843
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://staffzone.ep...y/rdp/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6211 bytes
0

#6 User is offline   Rorschach112 

  • Scratch
  • Icon
  • Group: Administrator
  • Posts: 1440
  • Joined: 30-April 08

Posted 21 August 2008 - 10:36 PM

Hello


Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer

  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:

  • Save the file to your desktop.
  • Copy and paste that information in your next post.

0

#7 User is offline   VicNewMedia 

  • Full Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 20-August 08

Posted 21 August 2008 - 11:11 PM

I have lost internet access with that machine. I am writing from another computer connected to the same home network (same hub, router). I couldn't get to Kaspersky.com and then I suddenly lost connectivity to every site.


System Restore?
0

#8 User is offline   Rorschach112 

  • Scratch
  • Icon
  • Group: Administrator
  • Posts: 1440
  • Joined: 30-April 08

Posted 21 August 2008 - 11:16 PM

No don't do a system restore

When did you lose net access ?
0

#9 User is offline   VicNewMedia 

  • Full Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 20-August 08

Posted 21 August 2008 - 11:24 PM

View PostRorschach112, on Aug 21 2008, 05:16 PM, said:

No don't do a system restore

When did you lose net access ?


I dragged the file to the Combofix, uploaded the info to the previous post so I had access at that point.
When I read your post about Kaspersky, I clicked the link but it wouldn't load the page.
I tried both IE and Firefox. I then confirmed that the site was working with this computer.

Rob
0

#10 User is offline   Rorschach112 

  • Scratch
  • Icon
  • Group: Administrator
  • Posts: 1440
  • Joined: 30-April 08

Posted 21 August 2008 - 11:36 PM

Try this

ComboFix will disconnect the machine from the internet, this prevents fresh malware from coming in.
The connection shall be restored once ComboFix gets to the Find3M stage.
In the event that ComboFix terminates prematurely you can manually restore the connection by ...
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"

http://www.microsoft.com/library/media/1033/windowsxp/images/using/networking/maintain/68604-click-repair.gif

Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

http://www.microsoft.com/library/media/1033/windowsxp/images/using/networking/maintain/68604-click-repair-from-notification-area.gif
0

#11 User is offline   VicNewMedia 

  • Full Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 20-August 08

Posted 22 August 2008 - 12:46 AM

Nope. It's still not working.

:(
0

#12 User is offline   Rorschach112 

  • Scratch
  • Icon
  • Group: Administrator
  • Posts: 1440
  • Joined: 30-April 08

Posted 22 August 2008 - 10:56 AM

am going to let a friend fix that for you

Go to the Windows XP forum, tell them I sent you, and explain your problem there
0

#13 User is offline   Rorschach112 

  • Scratch
  • Icon
  • Group: Administrator
  • Posts: 1440
  • Joined: 30-April 08

Posted 22 August 2008 - 12:49 PM

Try this first

Please go to Start > Control Panel > Network and Internet Connections > Network Connections. Then right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using dial-up, and left-click on the Properties option. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically". Click OK twice, and restart your computer.



Go to Start > Run.... In the Open: field type cmd and press the OK button. This will open a Command Prompt.
Type or copy & paste the entire contents inside the QUOTE box below into the command window:

Quote

ipconfig /flushdns
Hit Enter and exit the Command Prompt.
0

#14 User is offline   VicNewMedia 

  • Full Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 20-August 08

Posted 22 August 2008 - 06:31 PM

Your last post worked. Thanks so much.

I went to Kaspersky and did the scan. It found a threat.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 22, 2008 15:36:53
Records in database: 1123713
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 123436
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:44:00


File name / Threat name / Threats count
C:\Documents and Settings\Rob Wallace\Application Data\Sun\Java\Deployment\cache\6.0\18\4fbb54d2-26ff8a53 Infected: Trojan-Downloader.Java.OpenStream.ac 1

The selected area was scanned.
0

#15 User is offline   Rorschach112 

  • Scratch
  • Icon
  • Group: Administrator
  • Posts: 1440
  • Joined: 30-April 08

Posted 22 August 2008 - 06:35 PM

Perfect :)

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
0
  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users