Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Searchportal virus
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 07-20-2007, 03:11 PM   #1 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 6
OS: XP


Searchportal virus
Hi

Need som help i have a popup page coming up every 20 sec and i cant get rid off it :(
The page is "searchportal"

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:08:41, on 2007-07-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\Program\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program\Java\jre1.6.0_01\bin\jusched.exe
C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program\ICQToolbar\tbuC\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\Tomas\LOKALA~1\Temp\{806F97C5-9D15-4442-8F3C-7823A215C36C}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?8c788115a48747749654599ab4bc5531
O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?8c788115a48747749654599ab4bc5531
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.microsoft.com/controls/vb5/comdlg32.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program\Dantz\RETROS~1\retrorun.exe

--
End of file - 10576 bytes


// Retark
Retark is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-20-2007, 06:06 PM   #2 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,696
OS: XP Pro, Vista, Ubuntu 8.10


Re: Searchportal virus
Hello and welcome to TSF

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-20-2007, 07:00 PM   #3 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,696
OS: XP Pro, Vista, Ubuntu 8.10


Re: Searchportal virus
Hello again

Download ComboFix from here
http://download.bleepingcomputer.com...a/ComboFix.exe

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

After running Combofix please run Hijackthis again and post the new log that is produced also.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-21-2007, 02:05 AM   #4 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 6
OS: XP


Re: Searchportal virus
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Tomas\APPLIC~1.\sks~1
C:\Program\Delade filer\{34B45~1
C:\Program\Delade filer\{34B45~1\toolbardll.lzma
C:\Program\Delade filer\uninstall information
C:\WINDOWS\fnts~1
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-21 09:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 22:33 <KAT> d-------- C:\WINDOWS\system32\sv-se
2007-07-20 22:31 <KAT> d-------- C:\WINDOWS\network diagnostic
2007-07-20 22:20 <KAT> d-------- C:\!KillBox
2007-07-19 20:52 <KAT> d-------- C:\Program\XoftSpySE
2007-07-19 20:42 <KAT> d-------- C:\WINDOWS\ERUNT
2007-07-19 20:29 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-19 20:29 <KAT> dr------- C:\DOCUME~1\ADMINI~1\Start-meny
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Skrivare
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\N„tverket
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Mallar
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Lokala inst„llningar
2007-07-19 20:29 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Skrivbord
2007-07-19 20:29 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Mina dokument
2007-07-19 20:29 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Favoriter
2007-07-19 18:11 <KAT> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-19 18:10 <KAT> d-------- C:\Virus program
2007-07-19 17:40 <KAT> d-------- C:\WINDOWS\pss
2007-07-18 23:30 <KAT> d-------- C:\Program\Uniblue
2007-07-18 23:30 <KAT> d-------- C:\DOCUME~1\Tomas\APPLIC~1\Uniblue
2007-07-18 23:16 <KAT> d-------- C:\Program\RegClean
2007-07-18 23:16 <KAT> d-------- C:\DOCUME~1\Tomas\APPLIC~1\RegClean
2007-07-17 17:49 71,680 --------- C:\WINDOWS\system32\drivers\PAVDRV51.SYS
2007-07-17 17:49 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2007-07-17 17:49 236 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-07-17 17:49 <KAT> d-------- C:\WINDOWS\system32\PAV
2007-07-17 17:49 <KAT> d-------- C:\Program\Panda Software
2007-07-17 17:34 <KAT> d-------- C:\VundoFix Backups
2007-07-17 17:18 8,576 --a------ C:\WINDOWS\system32\drivers\vtcgabwbikam.sys
2007-07-17 17:11 <KAT> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-14 14:59 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-14 14:37 <KAT> dr------- C:\DOCUME~1\LOCALS~1\Favoriter
2007-07-14 14:37 <KAT> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\ICQ Toolbar
2007-07-14 14:37 <KAT> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-11 12:33 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-07-11 12:33 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-07-11 12:33 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-07-11 12:33 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-07-11 12:33 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-07-11 12:33 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-07-11 12:33 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-07-11 12:33 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-07-11 12:33 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-07-11 01:22 <KAT> d-------- C:\Program\Aspyr
2007-07-11 00:35 3,982 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-07-11 00:28 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-07-11 00:28 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-07-11 00:22 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-07-10 00:22 <KAT> d-------- C:\Recyclers
2007-07-10 00:22 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-07-03 18:49 <KAT> d-------- C:\Program\PAF Tournament Director's Poker Clock
2007-07-03 17:43 <KAT> d-------- C:\Program\The Tournament Director 2
2007-07-03 15:36 <KAT> d-------- C:\Program\PKR
2007-06-22 16:30 <KAT> d-------- C:\Program\DC++


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 20:28:29 63,572 ----a-w C:\WINDOWS\system32\perfc01D.dat
2007-07-20 20:28:29 386,352 ----a-w C:\WINDOWS\system32\perfh01D.dat
2007-07-19 19:59:36 -------- d-----w C:\DOCUME~1\Tomas\APPLIC~1\Azureus
2007-07-19 17:21:30 -------- d-----w C:\Program\Messenger
2007-07-19 17:21:30 -------- d-----w C:\Program\ICQToolbar
2007-07-19 16:23:35 -------- d-----w C:\Program\Google
2007-07-17 22:12:55 -------- d-----w C:\DOCUME~1\Tomas\APPLIC~1\Skype
2007-07-17 15:49:18 -------- d--h--w C:\Program\InstallShield Installation Information
2007-07-17 15:18:20 -------- d-----w C:\Program\QuickTime
2007-07-17 15:18:20 -------- d-----w C:\Program\iTunes
2007-07-17 15:18:15 -------- d-----w C:\Program\ICQLite
2007-07-17 15:17:57 -------- d-----w C:\Program\DAEMON Tools
2007-07-17 15:17:38 -------- d-----w C:\Program\Windows Live Toolbar
2007-07-17 15:17:38 -------- d-----w C:\Program\MSN Messenger
2007-07-17 14:35:18 -------- d-----w C:\Program\Trend Micro
2007-07-16 16:19:43 -------- d-----w C:\Program\Delade filer\Symantec Shared
2007-07-16 16:18:11 -------- d-----w C:\Program\Symantec
2007-07-09 18:27:25 1,626 ----a-w C:\DOCUME~1\Tomas\APPLIC~1\wklnhst.dat
2007-06-23 23:13:05 -------- d-----w C:\Program\Azureus
2007-06-06 22:16:28 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-06 22:16:07 -------- d-----w C:\Program\D-Tools
2007-05-31 14:38:02 -------- d-----w C:\DOCUME~1\Tomas\APPLIC~1\Symantec
2007-05-25 19:13:13 -------- d-----w C:\Program\DivX
2007-05-16 15:20:05 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:22:55 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 15:00 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05]
"LogitechVideoRepair"="C:\Program\Logitech\Video\ISStart.exe" [2004-10-08 12:31]
"LogitechVideoTray"="C:\Program\Logitech\Video\LogiTray.exe" [2004-10-08 12:24]
"RemoteControl"="C:\Program\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"MMTray"="C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 13:03]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"GrooveMonitor"="C:\Program\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"Symantec PIF AlertEng"="C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"DAEMON Tools"="C:\Program\DAEMON Tools\daemon.exe" [2006-11-12 12:48]
"LanzarL2007"="C:\DOCUME~1\Tomas\LOKALA~1\Temp\{806F97C5-9D15-4442-8F3C-7823A215C36C}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" []
"APVXDWIN"="C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2007-01-25 18:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program\Logitech\Video\ManifestEngine.exe" [2004-10-08 12:06]
"Uniblue RegistryBooster 2"="C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-07-03 13:51]
"Uniblue SpeedUpMyPC"="C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-07-05 12:20]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2005-09-06 17:47]
"swg"="C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-19 18:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program\ICQLite\ICQLite.exe -trayboot

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-20 18:57:54]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-09-06 17:47:38]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2006-07-14 13:46 45056 C:\WINDOWS\system32\avldr.dll

023 - amdk8 - system32\DRIVERS\AmdK8.sys
023 - messanger - c:\Recyclers\svchost.exe
023 - microsoft office groove audit service - "C:\Program\Microsoft Office\Office12\GrooveAuditService.exe"
023 - mxofx - system32\DRIVERS\MXOFX.SYS
023 - mxopswd - system32\DRIVERS\mxopswd.sys
023 - odserv - "C:\Program\Delade filer\Microsoft Shared\OFFICE12\ODSERV.EXE"
023 - pavdrv - \??\C:\WINDOWS\system32\Drivers\pavdrv51.sys
023 - qcmerced - system32\DRIVERS\LVCM.sys
023 - vtcgabwbikam - system32\drivers\vtcgabwbikam.sys
023 - wmbenum - system32\drivers\WmBEnum.sys
023 - wmfilter - system32\drivers\WmFilter.sys
023 - wmvirhid - system32\drivers\WmVirHid.sys
023 - wmxlcore - system32\drivers\WmXlCore.sys


Contents of the 'Scheduled Tasks' folder
2007-07-19 17:02:01 C:\WINDOWS\tasks\RegClean Scheduled Scan.job
2007-07-19 17:17:07 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-07-19 16:13:32 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
2007-07-19 16:59:34 C:\WINDOWS\tasks\Uniblue SpyEraser.job
2007-07-21 07:44:33 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-19 18:52:23 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-21 09:57:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-21 9:58:04
C:\ComboFix-quarantined-files.txt ... 2007-07-21 09:57


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:46, on 2007-07-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\Program\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program\Java\jre1.6.0_01\bin\jusched.exe
C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Logitech\Video\FxSvr2.exe
c:\program\panda software\panda antivirus 2007\WebProxy.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program\ICQToolbar\tbuC\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\Tomas\LOKALA~1\Temp\{806F97C5-9D15-4442-8F3C-7823A215C36C}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?8c788115a48747749654599ab4bc5531
O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?8c788115a48747749654599ab4bc5531
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.microsoft.com/controls/vb5/comdlg32.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program\Dantz\RETROS~1\retrorun.exe

--
End of file - 10403 bytes
Retark is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-21-2007, 08:52 AM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,735
OS: 2000 Pro; XP Pro; XP Home


Re: Searchportal virus
Hello Retark -

It appears that the ComboFix log posted is incomplete.

Can you please locate C:\ComboFix.txt, and post it again? Be sure to press Ctrl+A to select all, Ctrl+C to copy all, then Ctrl+V to paste all into a thread.

Thanks.

Clark76 will be back with a next round of instructions after that.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2007, 12:07 PM   #6 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 6
OS: XP


Re: Searchportal virus
I hope this is right

"Tomas" - 2007-07-23 19:58:35 - ComboFix 07-07-21.4 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))


2007-07-21 09:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 22:33 <KAT> d-------- C:\WINDOWS\system32\sv-se
2007-07-20 22:31 <KAT> d-------- C:\WINDOWS\network diagnostic
2007-07-20 22:20 <KAT> d-------- C:\!KillBox
2007-07-19 20:52 <KAT> d-------- C:\Program\XoftSpySE
2007-07-19 20:42 <KAT> d-------- C:\WINDOWS\ERUNT
2007-07-19 20:29 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-19 20:29 <KAT> dr------- C:\DOCUME~1\ADMINI~1\Start-meny
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Skrivare
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\N„tverket
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Mallar
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Lokala inst„llningar
2007-07-19 20:29 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Skrivbord
2007-07-19 20:29 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Mina dokument
2007-07-19 20:29 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Favoriter
2007-07-19 18:11 <KAT> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-19 18:10 <KAT> d-------- C:\Virus program
2007-07-19 17:40 <KAT> d-------- C:\WINDOWS\pss
2007-07-18 23:30 <KAT> d-------- C:\Program\Uniblue
2007-07-18 23:30 <KAT> d-------- C:\DOCUME~1\Tomas\APPLIC~1\Uniblue
2007-07-18 23:16 <KAT> d-------- C:\Program\RegClean
2007-07-18 23:16 <KAT> d-------- C:\DOCUME~1\Tomas\APPLIC~1\RegClean
2007-07-17 17:49 71,680 --------- C:\WINDOWS\system32\drivers\PAVDRV51.SYS
2007-07-17 17:49 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2007-07-17 17:49 236 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-07-17 17:49 <KAT> d-------- C:\WINDOWS\system32\PAV
2007-07-17 17:49 <KAT> d-------- C:\Program\Panda Software
2007-07-17 17:34 <KAT> d-------- C:\VundoFix Backups
2007-07-17 17:18 8,576 --a------ C:\WINDOWS\system32\drivers\vtcgabwbikam.sys
2007-07-17 17:11 <KAT> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-14 14:59 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-14 14:37 <KAT> dr------- C:\DOCUME~1\LOCALS~1\Favoriter
2007-07-14 14:37 <KAT> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\ICQ Toolbar
2007-07-14 14:37 <KAT> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-11 12:33 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-07-11 12:33 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-07-11 12:33 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-07-11 12:33 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-07-11 12:33 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-07-11 12:33 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-07-11 12:33 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-07-11 12:33 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-07-11 12:33 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-07-11 01:22 <KAT> d-------- C:\Program\Aspyr
2007-07-11 00:35 3,982 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-07-11 00:28 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-07-11 00:28 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-07-11 00:22 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-07-10 00:22 <KAT> d-------- C:\Recyclers
2007-07-10 00:22 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-07-03 18:49 <KAT> d-------- C:\Program\PAF Tournament Director's Poker Clock
2007-07-03 17:43 <KAT> d-------- C:\Program\The Tournament Director 2
2007-07-03 15:36 <KAT> d-------- C:\Program\PKR


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 20:28:29 63,572 ----a-w C:\WINDOWS\system32\perfc01D.dat
2007-07-20 20:28:29 386,352 ----a-w C:\WINDOWS\system32\perfh01D.dat
2007-07-19 19:59:36 -------- d-----w C:\DOCUME~1\Tomas\APPLIC~1\Azureus
2007-07-19 17:21:30 -------- d-----w C:\Program\Messenger
2007-07-19 17:21:30 -------- d-----w C:\Program\ICQToolbar
2007-07-19 16:23:35 -------- d-----w C:\Program\Google
2007-07-17 22:12:55 -------- d-----w C:\DOCUME~1\Tomas\APPLIC~1\Skype
2007-07-17 15:49:18 -------- d--h--w C:\Program\InstallShield Installation Information
2007-07-17 15:18:20 -------- d-----w C:\Program\QuickTime
2007-07-17 15:18:20 -------- d-----w C:\Program\iTunes
2007-07-17 15:18:15 -------- d-----w C:\Program\ICQLite
2007-07-17 15:17:57 -------- d-----w C:\Program\DAEMON Tools
2007-07-17 15:17:38 -------- d-----w C:\Program\Windows Live Toolbar
2007-07-17 15:17:38 -------- d-----w C:\Program\MSN Messenger
2007-07-17 14:35:18 -------- d-----w C:\Program\Trend Micro
2007-07-16 16:19:43 -------- d-----w C:\Program\Delade filer\Symantec Shared
2007-07-16 16:18:11 -------- d-----w C:\Program\Symantec
2007-07-09 18:27:25 1,626 ----a-w C:\DOCUME~1\Tomas\APPLIC~1\wklnhst.dat
2007-06-30 14:56:59 -------- d-----w C:\Program\DC++
2007-06-23 23:13:05 -------- d-----w C:\Program\Azureus
2007-06-06 22:16:28 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-06 22:16:07 -------- d-----w C:\Program\D-Tools
2007-05-31 14:38:02 -------- d-----w C:\DOCUME~1\Tomas\APPLIC~1\Symantec
2007-05-25 19:13:13 -------- d-----w C:\Program\DivX
2007-05-16 15:20:05 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:22:55 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 15:00 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05]
"LogitechVideoRepair"="C:\Program\Logitech\Video\ISStart.exe" [2004-10-08 12:31]
"LogitechVideoTray"="C:\Program\Logitech\Video\LogiTray.exe" [2004-10-08 12:24]
"RemoteControl"="C:\Program\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"MMTray"="C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 13:03]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"GrooveMonitor"="C:\Program\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"Symantec PIF AlertEng"="C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"DAEMON Tools"="C:\Program\DAEMON Tools\daemon.exe" [2006-11-12 12:48]
"LanzarL2007"="C:\DOCUME~1\Tomas\LOKALA~1\Temp\{806F97C5-9D15-4442-8F3C-7823A215C36C}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" []
"APVXDWIN"="C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2007-01-25 18:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program\Logitech\Video\ManifestEngine.exe" [2004-10-08 12:06]
"Uniblue RegistryBooster 2"="C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-07-03 13:51]
"Uniblue SpeedUpMyPC"="C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-07-05 12:20]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2005-09-06 17:47]
"swg"="C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-19 18:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program\ICQLite\ICQLite.exe -trayboot

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-20 18:57:54]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-09-06 17:47:38]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2006-07-14 13:46 45056 C:\WINDOWS\system32\avldr.dll

023 - amdk8 - system32\DRIVERS\AmdK8.sys
023 - messanger - c:\Recyclers\svchost.exe
023 - microsoft office groove audit service - "C:\Program\Microsoft Office\Office12\GrooveAuditService.exe"
023 - mxofx - system32\DRIVERS\MXOFX.SYS
023 - mxopswd - system32\DRIVERS\mxopswd.sys
023 - odserv - "C:\Program\Delade filer\Microsoft Shared\OFFICE12\ODSERV.EXE"
023 - pavdrv - \??\C:\WINDOWS\system32\Drivers\pavdrv51.sys
023 - qcmerced - system32\DRIVERS\LVCM.sys
023 - vtcgabwbikam - system32\drivers\vtcgabwbikam.sys
023 - wmbenum - system32\drivers\WmBEnum.sys
023 - wmfilter - system32\drivers\WmFilter.sys
023 - wmvirhid - system32\drivers\WmVirHid.sys
023 - wmxlcore - system32\drivers\WmXlCore.sys


Contents of the 'Scheduled Tasks' folder
2007-07-19 17:02:01 C:\WINDOWS\tasks\RegClean Scheduled Scan.job
2007-07-19 17:17:07 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-07-19 16:13:32 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
2007-07-19 16:59:34 C:\WINDOWS\tasks\Uniblue SpyEraser.job
2007-07-23 17:49:01 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-19 18:52:23 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 20:00:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-23 20:01:37
C:\ComboFix-quarantined-files.txt ... 2007-07-23 20:01
C:\ComboFix2.txt ... 2007-07-21 09:58

--- E O F ---



------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2029, on 2007-07-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Logitech\Video\LogiTray.exe
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program\Java\jre1.6.0_01\bin\jusched.exe
C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\Program\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
c:\program\panda software\panda antivirus 2007\WebProxy.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program\ICQToolbar\tbuC\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\Tomas\LOKALA~1\Temp\{806F97C5-9D15-4442-8F3C-7823A215C36C}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?8c788115a48747749654599ab4bc5531
O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?8c788115a48747749654599ab4bc5531
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.microsoft.com/controls/vb5/comdlg32.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program\Dantz\RETROS~1\retrorun.exe

--
End of file - 10362 bytes
Retark is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2007, 01:25 PM   #7 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 6
OS: XP


Re: Searchportal virus
dont know if this is right but thats all i get in the logfile after i have run the combofix.

// Retark
Retark is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2007, 09:01 PM   #8 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,696
OS: XP Pro, Vista, Ubuntu 8.10


Re: Searchportal virus
Hello


P2P - I see you have P2P software <DC++ and Azureus> installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

============

Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

============

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

Please remember to close all other windows, including browsers then click Fix checked.

=============

Open notepad and copy/paste the text in the quotebox below into it:
Quote:
File::
c:\Recyclers\svchost.exe

Driver::
messanger

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LanzarL2007"=-
Save this as "CFScript"




Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

=================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

===============

Please provide the following logs with your next post:

C:\ComboFix.txt
Kaspersky report
new Hijackthis log

Also include an update on how your system is running
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-24-2007, 02:08 PM   #9 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 6
OS: XP


Re: Searchportal virus
Hi again.

The popup virus i gone i think havent seen it in 2 days now.

Here are the logs:


"Tomas" - 2007-07-24 19:09:53 - ComboFix 07-07-21.4 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Tomas\Skrivbord\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\Recyclers\svchost.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_MESSANGER
-------\Messanger


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-21 09:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 22:33 <KAT> d-------- C:\WINDOWS\system32\sv-se
2007-07-20 22:31 <KAT> d-------- C:\WINDOWS\network diagnostic
2007-07-20 22:20 <KAT> d-------- C:\!KillBox
2007-07-19 20:52 <KAT> d-------- C:\Program\XoftSpySE
2007-07-19 20:42 <KAT> d-------- C:\WINDOWS\ERUNT
2007-07-19 20:29 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-19 20:29 <KAT> dr------- C:\DOCUME~1\ADMINI~1\Start-meny
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Skrivare
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\N„tverket
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Mallar
2007-07-19 20:29 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Lokala inst„llningar
2007-07-19 20:29 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Skrivbord
2007-07-19 20:29 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Mina dokument
2007-07-19 20:29 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Favoriter
2007-07-19 18:11 <KAT> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-19 18:10 <KAT> d-------- C:\Virus program
2007-07-19 17:40 <KAT> d-------- C:\WINDOWS\pss
2007-07-18 23:30 <KAT> d-------- C:\Program\Uniblue
2007-07-18 23:30 <KAT> d-------- C:\DOCUME~1\Tomas\APPLIC~1\Uniblue
2007-07-18 23:16 <KAT> d-------- C:\Program\RegClean
2007-07-18 23:16 <KAT> d-------- C:\DOCUME~1\Tomas\APPLIC~1\RegClean
2007-07-17 17:49 71,680 --------- C:\WINDOWS\system32\drivers\PAVDRV51.SYS
2007-07-17 17:49 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2007-07-17 17:49 236 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-07-17 17:49 <KAT> d-------- C:\WINDOWS\system32\PAV
2007-07-17 17:49 <KAT> d-------- C:\Program\Panda Software
2007-07-17 17:34 <KAT> d-------- C:\VundoFix Backups
2007-07-17 17:18 8,576 --a------ C:\WINDOWS\system32\drivers\vtcgabwbikam.sys
2007-07-17 17:11 <KAT> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-14 14:59 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-14 14:37 <KAT> dr------- C:\DOCUME~1\LOCALS~1\Favoriter
2007-07-14 14:37 <KAT> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\ICQ Toolbar
2007-07-14 14:37 <KAT> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-11 12:33 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-07-11 12:33 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-07-11 12:33 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-07-11 12:33 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-07-11 12:33 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-07-11 12:33 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-07-11 12:33 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-07-11 12:33 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-07-11 12:33 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-07-11 01:22 <KAT> d-------- C:\Program\Aspyr
2007-07-11 00:35 3,982 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-07-11 00:28 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-07-11 00:28 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-07-11 00:22 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-07-10 00:22 <KAT> d-------- C:\Recyclers
2007-07-10 00:22 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-07-03 18:49 <KAT> d-------- C:\Program\PAF Tournament Director's Poker Clock
2007-07-03 17:43 <KAT> d-------- C:\Program\The Tournament Director 2
2007-07-03 15:36 <KAT> d-------- C:\Program\PKR


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 20:28:29 63,572 ----a-w C:\WINDOWS\system32\perfc01D.dat
2007-07-20 20:28:29 386,352 ----a-w C:\WINDOWS\system32\perfh01D.dat
2007-07-19 19:59:36 -------- d-----w C:\DOCUME~1\Tomas\APPLIC~1\Azureus
2007-07-19 17:21:30 -------- d-----w C:\Program\Messenger
2007-07-19 17:21:30 -------- d-----w C:\Program\ICQToolbar
2007-07-19 16:23:35 -------- d-----w C:\Program\Google
2007-07-17 22:12:55 -------- d-----w C:\DOCUME~1\Tomas\APPLIC~1\Skype
2007-07-17 15:49:18 -------- d--h--w C:\Program\InstallShield Installation Information
2007-07-17 15:18:20 -------- d-----w C:\Program\QuickTime
2007-07-17 15:18:20 -------- d-----w C:\Program\iTunes
2007-07-17 15:18:15 -------- d-----w C:\Program\ICQLite
2007-07-17 15:17:57 -------- d-----w C:\Program\DAEMON Tools
2007-07-17 15:17:38 -------- d-----w C:\Program\Windows Live Toolbar
2007-07-17 15:17:38 -------- d-----w C:\Program\MSN Messenger
2007-07-17 14:35:18 -------- d-----w C:\Program\Trend Micro
2007-07-16 16:19:43 -------- d-----w C:\Program\Delade filer\Symantec Shared
2007-07-16 16:18:11 -------- d-----w C:\Program\Symantec
2007-07-09 18:27:25 1,626 ----a-w C:\DOCUME~1\Tomas\APPLIC~1\wklnhst.dat
2007-06-30 14:56:59 -------- d-----w C:\Program\DC++
2007-06-23 23:13:05 -------- d-----w C:\Program\Azureus
2007-06-06 22:16:28 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-06 22:16:07 -------- d-----w C:\Program\D-Tools
2007-05-31 14:38:02 -------- d-----w C:\DOCUME~1\Tomas\APPLIC~1\Symantec
2007-05-25 19:13:13 -------- d-----w C:\Program\DivX
2007-05-16 15:20:05 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:22:55 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 15:00 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05]
"LogitechVideoRepair"="C:\Program\Logitech\Video\ISStart.exe" [2004-10-08 12:31]
"LogitechVideoTray"="C:\Program\Logitech\Video\LogiTray.exe" [2004-10-08 12:24]
"RemoteControl"="C:\Program\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"MMTray"="C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 13:03]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"GrooveMonitor"="C:\Program\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"Symantec PIF AlertEng"="C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"DAEMON Tools"="C:\Program\DAEMON Tools\daemon.exe" [2006-11-12 12:48]
"APVXDWIN"="C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2007-01-25 18:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program\Logitech\Video\ManifestEngine.exe" [2004-10-08 12:06]
"Uniblue RegistryBooster 2"="C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-07-03 13:51]
"Uniblue SpeedUpMyPC"="C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-07-05 12:20]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2005-09-06 17:47]
"swg"="C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-19 18:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program\ICQLite\ICQLite.exe -trayboot

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-20 18:57:54]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-09-06 17:47:38]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2006-07-14 13:46 45056 C:\WINDOWS\system32\avldr.dll

023 - amdk8 - system32\DRIVERS\AmdK8.sys
023 - microsoft office groove audit service - "C:\Program\Microsoft Office\Office12\GrooveAuditService.exe"
023 - mxofx - system32\DRIVERS\MXOFX.SYS
023 - mxopswd - system32\DRIVERS\mxopswd.sys
023 - odserv - "C:\Program\Delade filer\Microsoft Shared\OFFICE12\ODSERV.EXE"
023 - pavdrv - \??\C:\WINDOWS\system32\Drivers\pavdrv51.sys
023 - qcmerced - system32\DRIVERS\LVCM.sys
023 - vtcgabwbikam - system32\drivers\vtcgabwbikam.sys
023 - wmbenum - system32\drivers\WmBEnum.sys
023 - wmfilter - system32\drivers\WmFilter.sys
023 - wmvirhid - system32\drivers\WmVirHid.sys
023 - wmxlcore - system32\drivers\WmXlCore.sys


Contents of the 'Scheduled Tasks' folder
2007-07-19 17:02:01 C:\WINDOWS\tasks\RegClean Scheduled Scan.job
2007-07-19 17:17:07 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-07-19 16:13:32 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
2007-07-19 16:59:34 C:\WINDOWS\tasks\Uniblue SpyEraser.job
2007-07-24 17:14:19 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-19 18:52:23 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 19:14:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 19:16:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-24 19:16
C:\ComboFix2.txt ... 2007-07-23 20:01
C:\ComboFix3.txt ... 2007-07-21 09:58

--- E O F ---

--------------------------------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 24, 2007 9:53:47 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/07/2007
Kaspersky Anti-Virus database records: 367274
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 84133
Number of viruses found: 3
Number of infected objects: 11 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:22:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-07-24_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tomas\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tomas\Lokala inställningar\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Tomas\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tomas\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tomas\Lokala inställningar\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Tomas\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tomas\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tomas\Lokala inställningar\Tidigare\History.IE5\MSHist012007072420070725\index.dat Object is locked skipped
C:\Documents and Settings\Tomas\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tomas\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tomas\Skrivbord\Virus\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tomas\Skrivbord\Virus\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tomas\Skrivbord\Virus\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tomas\Skrivbord\Virus\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Tomas\UserData\index.dat Object is locked skipped
C:\Program\Panda Software\Panda Antivirus 2007\223747d6a905c37188bbbd9d3b110706PSK_NAMES Object is locked skipped
C:\Program\Panda Software\Panda Antivirus 2007\223747d6a905c37188bbbd9d3b110706PSK_NAMES2 Object is locked skipped
C:\QooBox\Quarantine\C\Recyclers\svchost.exe.vir Infected: Trojan-Downloader.Win32.Delf.asz skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4C77BAC4-C95D-429D-9520-AEADC0648BF8}\RP543\A0120863.exe/file24 Infected: not-a-virus:FraudTool.Win32.WinAnti skipped
C:\System Volume Information\_restore{4C77BAC4-C95D-429D-9520-AEADC0648BF8}\RP543\A0120863.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{4C77BAC4-C95D-429D-9520-AEADC0648BF8}\RP543\A0120863.exe CryptFF: infected - 1 skipped
C:\System Volume Information\_restore{4C77BAC4-C95D-429D-9520-AEADC0648BF8}\RP585\A0127033.exe/winds.exe Infected: Trojan-Downloader.Win32.Delf.asz skipped
C:\System Volume Information\_restore{4C77BAC4-C95D-429D-9520-AEADC0648BF8}\RP585\A0127033.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{4C77BAC4-C95D-429D-9520-AEADC0648BF8}\RP595\A0128278.exe Infected: Trojan-Downloader.Win32.Delf.asz skipped
C:\System Volume Information\_restore{4C77BAC4-C95D-429D-9520-AEADC0648BF8}\RP595\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{920E3D47-2DE7-4358-A875-B358E7B9753F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{4C77BAC4-C95D-429D-9520-AEADC0648BF8}\RP595\change.log Object is locked skipped

Scan process completed.


------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:59:11, on 2007-07-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\Program\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Logitech\Video\LogiTray.exe
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program\Java\jre1.6.0_01\bin\jusched.exe
C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program\panda software\panda antivirus 2007\WebProxy.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program\ICQToolbar\tbuC\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Virus program\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?8c788115a48747749654599ab4bc5531
O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?8c788115a48747749654599ab4bc5531
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.microsoft.com/controls/vb5/comdlg32.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program\Dantz\RETROS~1\retrorun.exe

--
End of file - 9907 bytes


Thanks and you guys are the best :)
Retark is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-24-2007, 06:39 PM   #10 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,696
OS: XP Pro, Vista, Ubuntu 8.10


Re: Searchportal virus
Hello

You missed one entry

Open HijackThis and click on 'Do a System Scan Only'. Check the following entry (If it still exists)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Please remember to close all other windows, including browsers then click Fix checked.

Then...

Well done, your logs are clean!

=========

Delete the following folder indicated in blue

C:\ QooBox

=========

Flush the System Restore Points

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

=============

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

=================================================

This is a good time to set up protection against further attacks. Read TonyKlein's How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad

============

Please respond to this thread one more time so we can mark this thread as Resolved.

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-25-2007, 01:08 PM   #11 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 6
OS: XP


Re: Searchportal virus


Thanks for all the help, im a newbie on computers when it comes to things like this.

Having you guys around to help us out will make the computers much more safe

Thanks again

// Retark
Retark is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-25-2007, 02:11 PM   #12 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,696
OS: XP Pro, Vista, Ubuntu 8.10


Re: Searchportal virus
You are welcome

Happy surfing.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:10 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85