Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Google Redirection

This is a discussion on Google Redirection within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi In these last few days I have noticed that I try to search something via google it will redirect


 
 
Thread Tools Search this Thread
Old 05-26-2011, 06:21 PM   #1
Registered Member
 
Join Date: May 2011
Posts: 5
OS: xp



Hi

In these last few days I have noticed that I try to search something via google it will redirect me to a site that is identified as being dangerous by my antivirus or an alternative search engine.

I have also noticed that I am receiving the following message when I start my computer up about cleanhlm.exe not being read. I have once deleted this file but it returned.

Nothing that I have used has corrected this issue. Usually after running our virus checker I can google something once and get the correct website but after this it continues to provide me with the dangerous website or alternative search engine.

I have also received the message "instruction @"0x10001af7" could not be read" but I don't know if this is related.

I would really appreciate your help with this issue.

Kind Regards,

Kirstie




DDS (Ver_2011-05-26.01) - NTFS_x86
Internet Explorer: 7.0.5730.13
Run by Kirstie Talbot at 9:37:37 on 2011-05-27
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3582.2545 [GMT 10:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Titanium Maximum Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanionInfo.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.theage.com.au/
uSearch Page = hxxp://www.google.com.au/hws/sb/dell-row/en/side.html?channel=au
uDefault_Page_URL = Personalized Start Page
uSearch Bar = hxxp://www.google.com.au/hws/sb/dell-row/en/side.html?channel=au
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://au.search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com.au/hws/sb/dell-row/en/side.html?channel=au
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Sony Ericsson PC Companion] "c:\program files\sony ericsson\sony ericsson pc companion\PCCompanion.exe" /Background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [cleanhlm] c:\documents and settings\kirstie talbot\application data\cleanhlm.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: vic.gov.au\www.edumail
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/myWebFaceInitialSetup1.0.1.3.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.4.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.fujifilmimagine.com/imagine/ax/ImageUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
Hosts: 184.107.64.190 Google
Hosts: 209.172.56.115 search.yahoo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kirstie talbot\application data\mozilla\firefox\profiles\dzw48o67.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.theage.com.au/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\firefoxextension\components\TmFFExt.dll
FF - component: c:\program files\trend micro\titanium\uiframework\toolbar\firefoxextension\components\ToolbarFFHelper.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-5-26 64512]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2010-12-28 188272]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-12-28 64080]
S2 crd;crd;c:\docume~1\matthew\locals~1\temp\ixp001.tmp\poststp.exe --> c:\docume~1\matthew\locals~1\temp\ixp001.tmp\poststp.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2011-1-4 13224]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-5-25 15232]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\sony ericsson\sony ericsson pc companion\PCCService.exe [2011-1-4 150528]
.
=============== Created Last 30 ================
.
2011-05-26 10:25:59 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-05-26 07:39:27 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-26 07:32:48 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-26 07:32:38 -------- d-----w- c:\program files\Lavasoft
2011-05-26 0639 -------- d-----w- c:\documents and settings\kirstie talbot\local settings\application data\Trend Micro
2011-05-25 07:24:34 -------- d-----w- c:\program files\CCleaner
2011-05-25 02:15:04 62976 --sh--w- c:\documents and settings\kirstie talbot\application data\cleanhlm.exe
2011-05-25 02:15:04 11776 --sh--w- c:\documents and settings\kirstie talbot\application data\cleanhlm.dll
2011-05-20 22:50:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-07 07:24:08 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-07 07:24:08 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-07 07:24:07 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-07 07:24:07 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-07 07:24:07 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-07 07:24:07 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-07 07:24:06 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-07 07:24:06 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2009-07-19 02:31:32 10320285 ----a-w- c:\program files\timeflies_setup.exe
2008-12-10 10:49:43 2972904 ----a-w- c:\program files\ccsetup214.exe
.
============= FINISH: 9:38:15.56 ===============
Attached Files
File Type: zip attach.zip (6.9 KB, 2 views)

__________________
kirstie01 is offline  
Old 05-27-2011, 03:37 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,489
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

It appears that you have two antivirus programs installed and running, Ad-Aware and TrendMicro. While this may seem like better protection, they can actually conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Add or Remove Programs in your Control Panel.

------------------------------------------------------

Download ComboFix and the Microsoft file to a USB drive on another computer and transfer the files to your desktop.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

Download details: Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

Do not be concerned that this file is for SP2 if you have SP3. It will work just fine on your system.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 05-28-2011, 01:54 AM   #3
Registered Member
 
Join Date: May 2011
Posts: 5
OS: xp



Thanks for your help. Below is the log. It indicated that McAfee was on my computer but it was uninstalled sometime ago.

ComboFix 11-05-27.02 - Kirstie Talbot 28/05/2011 17:40:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3582.2821 [GMT 10:00]
Running from: c:\documents and settings\Kirstie Talbot\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kirstie Talbot\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\1.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\a.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\b.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\c.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\d.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\e.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\f.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\g.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\h.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\i.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\J.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\k.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\l.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\m.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\n.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\o.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\p.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\q.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\r.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\s.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\t.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\u.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\v.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\w.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\x.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\y.xml
c:\documents and settings\John.KIRSTIE\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Kirstie Talbot\Application Data\cleanhlm.dll.vir
c:\documents and settings\Kirstie Talbot\Application Data\cleanhlm.exe
c:\documents and settings\Matthew\Application Data\PriceGong
c:\documents and settings\Matthew\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Matthew\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Sarah\Application Data\PriceGong
c:\documents and settings\Sarah\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Sarah\Application Data\PriceGong\Data\z.xml
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-28 )))))))))))))))))))))))))))))))
.
.
2011-05-26 07:39 . 2011-05-26 07:39 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-26 07:32 . 2011-05-28 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-05-26 06:06 . 2011-05-26 06:06 -------- d-----w- c:\documents and settings\Kirstie Talbot\Local Settings\Application Data\Trend Micro
2011-05-25 07:24 . 2011-05-25 07:24 -------- d-----w- c:\program files\CCleaner
2011-05-22 21:59 . 2011-05-22 21:59 -------- d-----w- c:\documents and settings\Matthew\Local Settings\Application Data\Mozilla
2011-05-20 22:50 . 2011-05-20 22:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-07 07:24 . 2011-05-07 07:24 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 07:24 . 2011-05-07 07:24 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 07:24 . 2011-05-07 07:24 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 07:24 . 2011-05-07 07:24 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 07:24 . 2011-05-07 07:24 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 07:24 . 2011-05-07 07:24 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 07:24 . 2011-05-07 07:24 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-07 07:24 . 2011-05-07 07:24 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-08-11 09:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-11 09:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-11 09:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2009-07-19 02:31 . 2009-07-19 02:31 10320285 ----a-w- c:\program files\timeflies_setup.exe
2008-12-10 10:49 . 2008-12-10 10:48 2972904 ----a-w- c:\program files\ccsetup214.exe
2010-10-12 06:33 . 2010-10-12 06:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-10-12 08:15 . 2010-10-12 08:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-10-12 06:37 . 2010-10-12 06:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-10-12 06:35 . 2010-10-12 06:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-10-12 06:34 . 2010-10-12 06:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-10-12 06:32 . 2010-10-12 06:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-10-12 06:35 . 2010-10-12 06:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-10-12 06:34 . 2010-10-12 06:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-07-14 02:42 . 2010-07-14 02:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-10-12 06:37 . 2010-10-12 06:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-05-07 07:24 . 2011-05-07 07:24 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Sony Ericsson PC Companion"="c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" [2011-04-14 428544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-11 101136]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-09 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-11 101136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-1-3 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-11 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-10 20:11 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 04:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [14/07/2010 12:51 PM 65584]
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [28/12/2010 6:45 PM 188272]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [28/12/2010 6:48 PM 64080]
S2 crd;crd;c:\docume~1\Matthew\LOCALS~1\Temp\IXP001.TMP\poststp.exe --> c:\docume~1\Matthew\LOCALS~1\Temp\IXP001.TMP\poststp.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [4/01/2011 7:43 PM 13224]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [4/01/2011 4:00 PM 150528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theage.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://au.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: vic.gov.au\www.edumail
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Kirstie Talbot\Application Data\Mozilla\Firefox\Profiles\dzw48o67.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.theage.com.au/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-cleanhlm - c:\documents and settings\Kirstie Talbot\Application Data\cleanhlm.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-28 17:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(976)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2011-05-28 17:49:43
ComboFix-quarantined-files.txt 2011-05-28 07:49
.
Pre-Run: 139,316,375,552 bytes free
Post-Run: 144,202,514,432 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B4CAD6718C9A57BE11A22F63993086AD
__________________
kirstie01 is offline  
Old 05-28-2011, 08:37 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,489
OS: XP SP3; Win7 32/64-bit



Hello Kirstie. You're welcome. Are you still being redirected?

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
SecCenter::
{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
{94894B63-8C7F-4050-BDA4-813CA00DA3E8}

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

Driver::
crd
Lavasoft Kernexplorer
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 05-28-2011, 08:29 PM   #5
Registered Member
 
Join Date: May 2011
Posts: 5
OS: xp



Hi

I am no longer being redirected. Below is the log for the above.

ComboFix 11-05-27.02 - Kirstie Talbot 29/05/2011 11:58:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3582.2817 [GMT 10:00]
Running from: c:\documents and settings\Kirstie Talbot\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kirstie Talbot\Desktop\CFScript.txt
AV: Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CRD
-------\Legacy_LAVASOFT_KERNEXPLORER
-------\Service_crd
-------\Service_Lavasoft Kernexplorer
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-29 )))))))))))))))))))))))))))))))
.
.
2011-05-26 07:39 . 2011-05-26 07:39 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-26 07:32 . 2011-05-28 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-05-26 06:06 . 2011-05-26 06:06 -------- d-----w- c:\documents and settings\Kirstie Talbot\Local Settings\Application Data\Trend Micro
2011-05-22 21:59 . 2011-05-22 21:59 -------- d-----w- c:\documents and settings\Matthew\Local Settings\Application Data\Mozilla
2011-05-20 22:50 . 2011-05-20 22:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-07 07:24 . 2011-05-07 07:24 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 07:24 . 2011-05-07 07:24 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 07:24 . 2011-05-07 07:24 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 07:24 . 2011-05-07 07:24 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 07:24 . 2011-05-07 07:24 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 07:24 . 2011-05-07 07:24 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 07:24 . 2011-05-07 07:24 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-07 07:24 . 2011-05-07 07:24 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-08-11 09:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-11 09:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-11 09:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2009-07-19 02:31 . 2009-07-19 02:31 10320285 ----a-w- c:\program files\timeflies_setup.exe
2008-12-10 10:49 . 2008-12-10 10:48 2972904 ----a-w- c:\program files\ccsetup214.exe
2010-10-12 06:33 . 2010-10-12 06:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-10-12 08:15 . 2010-10-12 08:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-10-12 06:37 . 2010-10-12 06:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-10-12 06:35 . 2010-10-12 06:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-10-12 06:34 . 2010-10-12 06:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-10-12 06:32 . 2010-10-12 06:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-10-12 06:35 . 2010-10-12 06:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-10-12 06:34 . 2010-10-12 06:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-07-14 02:42 . 2010-07-14 02:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-10-12 06:37 . 2010-10-12 06:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-05-07 07:24 . 2011-05-07 07:24 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Sony Ericsson PC Companion"="c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" [2011-04-14 428544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-11 101136]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-09 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-11 101136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-1-3 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-11 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-10 20:11 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 04:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [14/07/2010 12:51 PM 65584]
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [28/12/2010 6:45 PM 188272]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [28/12/2010 6:48 PM 64080]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [4/01/2011 7:43 PM 13224]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [4/01/2011 4:00 PM 150528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theage.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://au.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: vic.gov.au\www.edumail
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Kirstie Talbot\Application Data\Mozilla\Firefox\Profiles\dzw48o67.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.theage.com.au/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-29 12:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(960)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2804)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Trend Micro\Titanium\plugin\TmvExt.dll
c:\program files\Trend Micro\AMSP\boost_thread-vc80-mt-1_36.dll
c:\program files\Trend Micro\AMSP\boost_date_time-vc80-mt-1_36.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\fxssvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\windows\stsystra.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanionInfo.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-29 12:16:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-29 02:16
ComboFix2.txt 2011-05-28 07:49
.
Pre-Run: 144,173,678,592 bytes free
Post-Run: 144,160,964,608 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3BBF3A436DCC814A97BE86022DAB197D
__________________
kirstie01 is offline  
Old 05-28-2011, 08:46 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,489
OS: XP SP3; Win7 32/64-bit



Hello again, Kirstie. Good job!

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 23 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 05-29-2011, 03:52 AM   #7
Registered Member
 
Join Date: May 2011
Posts: 5
OS: xp



Below you will find the logs you have requested. Trend Micro identified the following on the USB stick I used to back up some files:

E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe,WORM_AUTORUN.FMC,Removed

Looking forward to your response,

Kirstie

Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 6708

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

29/05/2011 1:17:54 PM
mbam-log-2011-05-29 (13-17-54).txt

Scan type: Quick scan
Objects scanned: 230186
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=db91bb90c1f6df479291d74ae9c7b32f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-29 07:47:03
# local_time=2011-05-29 05:47:03 (+1000, AUS Eastern Standard Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777191 100 0 12284746 12284746 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=127355
# found=2
# cleaned=0
# scan_time=9316
C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL.vir Win32/Adware.FunWeb application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1141\A0184987.DLL Win32/Adware.FunWeb application (unable to clean) 00000000000000000000000000000000 I
__________________
kirstie01 is offline  
Old 05-29-2011, 10:00 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,489
OS: XP SP3; Win7 32/64-bit



Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the ESET report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable TrendMicro before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Windows End of Support Information - Windows Help & How-to

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 05-30-2011, 12:28 AM   #9
Registered Member
 
Join Date: May 2011
Posts: 5
OS: xp



Thank you so much for your help, I have really appreciated it.
__________________
kirstie01 is offline  
Old 05-30-2011, 08:31 AM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,489
OS: XP SP3; Win7 32/64-bit



You're very welcome, kirstir01! Glad to have helped.

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Please4 Help!! Google redirects!
Hello, I have had this problem for a few days now, every link i click on in google redirects me to some other page that looks like it could contain viruses itself. I have Mcafee and spybot, i have also run ccleaner just to clean up things. But nothing has eliminated the problem! Spybot...
jess7aylor Inactive Malware Help Topics 3 05-25-2011 09:33 AM
Google redirection
Hi. Whenever i open firefox and use google, it redirects my computer to random websites for even the simplest searches. After reading this article A guide and tutorial on using ComboFix I know that i need the help of an expert before i can attempt to fix an issue. So what should i do to solve the...
Hikaru95 Virus/Trojan/Spyware Help 1 03-28-2011 05:34 AM
Google Redirection Virus.
I've had this virus for a couple weeks and I've run scans from AVG, Ad-Aware, Spybot S&D, and Malwarebytes. None of them found this virus and it is getting extremely frustrating. I got the DDS and Attach.txt, but the Gmer scan only froze up my computer. I've tried it several times but all it does...
fatyeti4 Inactive Malware Help Topics 2 03-08-2011 10:44 AM
[SOLVED] Google Yahoo redirect, plus other redirection
Hi, and thanks in advance for any guidance and help. The system I'm working on has been going downhill for a few days. It's slow, and not only do Google and Yahoo redirect regularly, but "antivirus" pages open new tabs randomly. We're running Comodo, as well as occasionally trying to clean it up...
hergrace Resolved HJT Threads 11 02-25-2011 09:02 AM
Google Redirection to superfish.com
Hi i really need help!! Everytime i type something into google, a security notice comes up saying something like: Do you want to view only the content of this website that is secure? Then is says something about http and secure content????? I don't know why this keeps coming up and i have no...
Emma78 Inactive Malware Help Topics 2 02-21-2011 10:27 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 09:21 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts