Vimax ads; Google results redirecting.

[darkmana]

I've recently been experiencing two issues:

- Nearly all adverts on all websites have been replaced by "Vimax Pills" ads.
- Google search results will redirect me to other search engines when I click on them. This appears to be done through JavaScript, as middle-clicking (to open link in new tab) is ignored and simply opens in the same tab, which then redirects.

Here is the pasted DDS.txt:

DDS (Version 1.0) - NTFSx86
Run by Owner at 17:18:11.92 on Sat 11/15/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2620 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
E:\Apps\AdAware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
E:\Apps\DeathAdder\razerhid.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Apps\DeathAdder\razerofa.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
E:\Apps\G15\SystemMonitor\LCDSirReal.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\Apps\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Downloads\_temp\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - e:\apps\spybot\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Steam] "e:\games\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Fraps] e:\apps\fraps\FRAPS.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ZoneAlarm Client] "e:\apps\zonealarm\zlclient.exe"
mRun: [DeathAdder] e:\apps\deathadder\razerhid.exe
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Adobe Reader Speed Launcher] "e:\apps\adobe reader 9\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\xfire.lnk - e:\apps\xfire\xfire.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\apps\spybot\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 CTAudSvcService;Creative Audio Service;c:\program files\creative\shared files\CTAudSvc.exe
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys
R3 ha20x2k;Creative 20X HAL Driver;c:\windows\system32\drivers\ha20x2k.sys
R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;"c:\program files\common files\creative labs shared\service\CTAELicensing.exe"
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\google\google desktop search\GoogleDesktop.exe"
S3 wampapache;wampapache;"e:\wamp\bin\apache\apache2.2.8\bin\httpd.exe" -k runservice
S3 wampmysqld;wampmysqld;e:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe wampmysqld

=============== Created Last 30 ================

2008-11-15 16:58 250 a------- c:\windows\gmer.ini
2008-11-14 18:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-11-13 10:10 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-11-11 13:01 <DIR> --d----- c:\docume~1\owner\applic~1\vlc
2008-10-29 19:24 42,320 a------- c:\windows\system32\xfcodec.dll
2008-10-28 16:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Fallout3
2008-10-28 16:04 <DIR> --d----- c:\windows\system32\XPSViewer
2008-10-28 16:03 14,048 -------- c:\windows\system32\spmsg2.dll
2008-10-24 06:06 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-10-22 05:29 173,550 a------- c:\windows\system32\xlive.dll.cat
2008-10-22 05:29 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-22 05:29 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-18 20:12 <DIR> --d----- c:\windows\system32\NtmsData

==================== Find3M ====================

2008-11-15 16:55 <DIR> --d----- c:\docume~1\owner\applic~1\Xfire
2008-11-14 18:22 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-14 17:35 <DIR> --d----- c:\docume~1\owner\applic~1\uTorrent
2008-11-08 14:24 <DIR> --d----- c:\docume~1\owner\applic~1\codeblocks
2008-10-27 16:20 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-10-22 20:15 107,832 a------- c:\windows\system32\PnkBstrB.exe
2008-10-22 20:15 2,250,024 a------- c:\windows\system32\pbsvc.exe
2008-10-22 20:15 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-10-12 14:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ATI
2008-10-12 14:06 <DIR> --d----- c:\program files\ATI Technologies
2008-10-12 13:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative
2008-10-12 13:49 <DIR> --d----- c:\program files\Creative
2008-10-12 13:45 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2008-10-12 13:42 413,696 a------- c:\windows\system32\wrap_oal.dll
2008-10-12 13:42 110,592 a------- c:\windows\system32\OpenAL32.dll
2008-10-12 13:17 94,208 a------- c:\windows\ScUnin.exe
2008-10-12 13:17 31,278 a------- c:\windows\scunin.dat
2008-10-11 09:36 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2008-10-08 17:50 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
2008-10-07 18:57 <DIR> --d----- c:\program files\Sun
2008-10-06 06:27 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-09-20 18:42 410,976 a------- c:\windows\system32\deploytk.dll
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-08-26 01:24 826,368 a------- c:\windows\system32\wininet.dll
2008-08-20 20:19 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-08-20 20:18 314,880 a------- c:\windows\system32\ati2dvag.dll
2008-08-20 20:08 184,320 a------- c:\windows\system32\atipdlxx.dll
2008-08-20 20:08 143,360 a------- c:\windows\system32\Oemdspif.dll
2008-08-20 20:07 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-08-20 20:07 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-08-20 20:07 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-08-20 20:05 573,440 a------- c:\windows\system32\ati2evxx.exe
2008-08-20 20:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-08-20 20:04 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-08-20 20:01 10,084,352 a------- c:\windows\system32\atioglxx.dll
2008-08-20 19:55 4,094,560 a------- c:\windows\system32\ati3duag.dll
2008-08-20 19:50 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-08-20 19:38 2,377,856 a------- c:\windows\system32\ativvaxx.dll
2008-08-20 19:37 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-08-20 19:37 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-08-20 19:37 887,724 a------- c:\windows\system32\ativva6x.dat
2008-08-20 19:23 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-08-20 19:19 380,928 a------- c:\windows\system32\atikvmag.dll
2008-08-20 19:18 37,376 a------- c:\windows\system32\atiadlxx.dll
2008-08-20 19:18 17,408 a------- c:\windows\system32\atitvo32.dll
2008-08-20 19:17 253,952 a------- c:\windows\system32\atiok3x2.dll
2008-08-20 19:11 561,152 a------- c:\windows\system32\ati2cqag.dll
2008-08-17 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Messenger Plus!
2008-08-16 18:30 <DIR> --d----- c:\docume~1\owner\applic~1\Microsoft Games
2008-08-16 15:29 <DIR> --d----- c:\docume~1\owner\applic~1\Bioshock
2008-08-16 13:34 <DIR> --d----- c:\docume~1\owner\applic~1\InstallShield Installation Information
2008-08-16 12:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative Labs
2008-08-16 08:41 <DIR> --d----- c:\docume~1\owner\applic~1\MailFrontier
2008-08-16 08:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

============= FINISH: 17:18:30.64 ===============

[darkmana]

72-hour bump.
Still experiencing described issues, have not made any relevant changes to my computer since posting.

Any and all assistance is greatly appreciated.

[darkmana]

Another 72-hour bump.

[Ried]

Hello darkmana,

Download fl.zip

• Extract the contents of the fl.zip to a new folder on Desktop.
• Within the folder, locate & double-click fl.bat.
• It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply along with a fresh dds.txt

[darkmana]

Hello Ried; thank you for replying.

I am still experiencing said issues, though I have discovered that my Google results are not redirected if I sign into iGoogle before searching. I have also added the Vimax ads domain to my hosts file (adv.net).

I have pasted the contents of findlop.txt below and attached DDS.txt as to your instruction. I greatly appreciate your help.

findlop.txt:

Volume in drive C is System
Volume Serial Number is 5CA7-76BF

Directory of C:\Documents and Settings\All Users\Application Data

11/24/2008 08:32 PM <DIR> Adobe
10/12/2008 02:10 PM <DIR> ATI
10/12/2008 01:55 PM <DIR> Creative
08/16/2008 12:26 PM <DIR> Creative Labs
10/28/2008 04:07 PM <DIR> Fallout3
08/19/2008 01:48 AM <DIR> FLEXnet
11/14/2008 06:25 PM <DIR> Lavasoft
08/16/2008 11:49 AM <DIR> Logitech
08/16/2008 08:33 AM <DIR> MailFrontier
08/17/2008 11:16 PM <DIR> Messenger Plus!
08/16/2008 08:23 AM <DIR> Spybot - Search & Destroy
12/01/2008 05:04 PM <DIR> TEMP
08/15/2008 08:55 PM <DIR> Windows Genuine Advantage
08/18/2008 01:57 PM <DIR> WLInstaller
0 File(s) 0 bytes
14 Dir(s) 17,596,153,856 bytes free
Volume in drive C is System
Volume Serial Number is 5CA7-76BF

Directory of C:\Documents and Settings\Owner\Application Data

11/25/2008 07:11 AM <DIR> Adobe
08/15/2008 10:04 PM <DIR> ATI
08/16/2008 03:29 PM <DIR> Bioshock
11/19/2008 11:50 PM <DIR> codeblocks
08/29/2008 08:19 PM <DIR> Creative
11/24/2008 08:05 PM <DIR> Download Manager
08/28/2008 07:46 PM <DIR> dvdcss
10/21/2008 09:33 PM <DIR> FileZilla
08/15/2008 04:29 AM <DIR> Identities
08/16/2008 11:36 AM <DIR> InstallShield
08/16/2008 01:34 PM <DIR> InstallShield Installation Information
08/15/2008 10:46 PM <DIR> Macromedia
08/16/2008 08:41 AM <DIR> MailFrontier
08/16/2008 06:30 PM <DIR> Microsoft Games
08/16/2008 08:12 AM <DIR> Mozilla
08/19/2008 01:32 AM <DIR> Notepad++
11/09/2008 09:42 AM <DIR> OpenOffice.org2
08/17/2008 10:52 PM <DIR> Opera
10/22/2008 08:15 PM 22,328 PnkBstrK.sys
09/05/2008 10:02 PM <DIR> Sun
08/16/2008 08:12 AM <DIR> Talkback
12/01/2008 06:21 PM <DIR> teamspeak2
08/16/2008 08:12 AM <DIR> Thunderbird
11/30/2008 09:29 PM <DIR> uTorrent
11/11/2008 01:02 PM <DIR> vlc
08/15/2008 10:30 PM <DIR> Winamp
12/01/2008 05:50 PM <DIR> Xfire
1 File(s) 22,328 bytes
26 Dir(s) 17,596,153,856 bytes free
Volume in drive C is System
Volume Serial Number is 5CA7-76BF

Directory of C:\Documents and Settings\Default User\Application Data

08/16/2008 12:10 AM <DIR> .
08/16/2008 12:10 AM <DIR> ..
08/16/2008 12:10 AM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 17,596,149,760 bytes free
Volume in drive C is System
Volume Serial Number is 5CA7-76BF

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is System
Volume Serial Number is 5CA7-76BF

Directory of C:\Documents and Settings\NetworkService\Application Data

[Ried]

Hello darkmana,

I'd like you to run ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[darkmana]

Thank you for the immediate reply.

I followed the instructions you linked to, installed the Recovery Console via my WinXP disc, and ran ComboFix. I have pasted the resulting log below.

ComboFix.txt:

ComboFix 08-12-01.01 - Owner 2008-12-02 0:13:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2825 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-11-24 20:31 . 2008-11-24 20:31 <DIR> d-------- c:\program files\Adobe Media Player
2008-11-24 17:42 . 2008-11-24 17:42 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-24 17:06 . 2008-11-24 20:05 <DIR> d-------- c:\documents and settings\Owner\Application Data\Download Manager
2008-11-22 14:08 . 2006-07-11 18:43 1,060,864 --a------ c:\windows\system32\mfc71.dll
2008-11-22 14:08 . 2006-07-11 18:35 503,808 --a------ c:\windows\system32\MSVCP71.dll
2008-11-22 14:08 . 2007-01-01 20:03 40,960 -ra------ c:\windows\system32\psfind.dll
2008-11-20 14:44 . 2008-11-20 14:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-15 16:58 . 2008-11-15 16:59 250 --a------ c:\windows\gmer.ini
2008-11-14 18:23 . 2008-11-14 18:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-13 10:10 . 2008-11-13 10:10 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-11-11 13:01 . 2008-11-11 13:02 <DIR> d-------- c:\documents and settings\Owner\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 06:19 27,546,656 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-02 06:18 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 06:15 373,016 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-02 06:09 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2008-12-02 06:08 2,764,800 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-12-02 04:01 201,352 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-02 04:01 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-02 00:21 --------- d-----w c:\documents and settings\Owner\Application Data\teamspeak2
2008-12-01 05:12 2,746,880 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-12-01 03:29 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-11-30 15:00 984,576 ----a-w c:\windows\Internet Logs\xDB11.tmp
2008-11-30 06:34 2,745,856 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-11-29 07:22 2,745,344 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-11-28 16:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 06:20 2,713,088 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-11-27 04:57 2,707,456 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-11-26 05:52 2,706,944 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-11-26 02:22 2,706,432 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-11-25 15:02 3,621,376 ----a-w c:\windows\Internet Logs\xDB16.tmp
2008-11-25 02:27 --------- d-----w c:\program files\Common Files\Adobe
2008-11-20 05:50 --------- d-----w c:\documents and settings\Owner\Application Data\codeblocks
2008-11-16 04:15 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-15 00:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-09 15:42 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2008-11-09 01:48 2,448,384 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-10-30 22:12 2,099,523 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-10-28 23:41 14,303,392 ----a-w c:\windows\system32\xlive.dll
2008-10-28 23:41 13,643,936 ----a-w c:\windows\system32\xlivefnt.dll
2008-10-28 22:07 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2008-10-28 22:06 --------- d-----w c:\program files\MSBuild
2008-10-28 22:04 --------- d-----w c:\program files\Reference Assemblies
2008-10-27 03:01 1,027,584 ----a-w c:\windows\Internet Logs\xDB121.tmp
2008-10-23 02:15 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-23 02:15 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-10-23 02:15 2,250,024 ----a-w c:\windows\system32\pbsvc.exe
2008-10-22 03:33 --------- d-----w c:\documents and settings\Owner\Application Data\FileZilla
2008-10-14 03:00 151,552 ----a-w c:\windows\Internet Logs\xDB249.tmp
2008-10-13 18:00 646,144 ----a-w c:\windows\Internet Logs\xDB110.tmp
2008-10-12 20:19 2,257,408 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-10-12 20:10 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-10-12 20:06 --------- d-----w c:\program files\ATI Technologies
2008-10-12 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-10-12 19:49 --------- d-----w c:\program files\Creative
2008-10-12 19:45 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-12 19:42 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2008-10-12 19:42 110,592 ----a-w c:\windows\system32\OpenAL32.dll
2008-10-12 19:17 94,208 ----a-w c:\windows\ScUnin.exe
2008-10-11 15:36 --------- dc-h--w c:\documents and settings\All Users\Application Data\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2008-10-10 23:10 3,166,208 ----a-w c:\windows\Internet Logs\xDBF.tmp
2008-10-08 23:50 --------- dc-h--w c:\documents and settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
2008-10-08 00:57 --------- d-----w c:\program files\Sun
2008-10-08 00:56 --------- d-----w c:\program files\Java
2008-10-06 12:27 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-05 21:01 658,944 ----a-w c:\windows\Internet Logs\xDBEA.tmp
2008-09-25 03:00 40,448 ----a-w c:\windows\Internet Logs\xDBD1.tmp
2008-09-24 21:00 667,136 ----a-w c:\windows\Internet Logs\xDBA.tmp
2008-09-21 00:42 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-06 18:01 612,352 ----a-w c:\windows\Internet Logs\xDB44.tmp
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="e:\games\steam\steam.exe" [2008-10-07 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"Fraps"="e:\apps\FRAPS\FRAPS.EXE" [2008-01-14 913064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-16 29744]
"ZoneAlarm Client"="e:\apps\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"DeathAdder"="e:\apps\DeathAdder\razerhid.exe" [2007-09-07 159744]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"Adobe Reader Speed Launcher"="e:\apps\Adobe Reader 9\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-20 144792]
"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"RivaTunerStartupDaemon"="e:\apps\RivaTuner\RivaTuner.exe" [2008-09-16 2715648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-07-11 c:\windows\system32\Ctxfihlp.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Xfire.lnk - e:\apps\Xfire\xfire.exe [2008-11-20 2986320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Apps\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Games\\Call of Duty 4\\iw3mp.exe"=
"e:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"e:\\Games\\Crysis Demo\\Bin32\\Crysis.exe"=
"e:\\Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"e:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"e:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"e:\\Games\\STALKER\\bin\\XR_3DA.exe"=
"e:\\Games\\STALKER\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"e:\\Games\\Battlefield 2\\BF2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 CTAudSvcService;Creative Audio Service;c:\program files\Creative\Shared Files\CTAudSvc.exe [2008-08-16 425984]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-05-20 93696]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-08-15 22784]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-08-15 36864]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;"c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe" [2008-08-16 79360]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-16 29744]
S3 VirtualDK;VirtualDK;\??\e:\downloads\_filedump\usb_prep8\vdk.sys []
S3 wampapache;wampapache;"e:\wamp\bin\apache\apache2.2.8\bin\httpd.exe" -k runservice [2008-11-05 24635]
S3 wampmysqld;wampmysqld;e:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe wampmysqld []
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 17:30]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\v06476pu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - e:\apps\Adobe Reader 9\Reader\browser\nppdf32.dll
FF -: plugin - e:\apps\Firefox\plugins\npdeploytk.dll
FF -: plugin - e:\apps\Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - e:\apps\Firefox\plugins\npnul32.dll
FF -: plugin - e:\apps\Firefox\plugins\nppdf32.dll
FF -: plugin - e:\apps\Opera\program\plugins\npdsplay.dll
FF -: plugin - e:\apps\Opera\program\plugins\NPSWF32.dll
FF -: plugin - e:\apps\Opera\program\plugins\npwmsdrm.dll
FF -: plugin - e:\apps\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 00:17:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1292)
e:\apps\Xfire\xfire_toucan_35044.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe
e:\apps\AdAware\aawservice.exe
c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
e:\apps\DeathAdder\razertra.exe
e:\apps\DeathAdder\razerofa.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
e:\apps\G15\SystemMonitor\LCDSirReal.exe
c:\windows\system32\CTxfispi.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\windows\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-12-02 0:21:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 06:21:24

Pre-Run: 17,471,954,944 bytes free
Post-Run: 18,158,514,176 bytes free

218 --- E O F --- 2008-10-25 06:35:34

[Ried]

Hello darkmana,

Did any of your onboard scanners previously detect Zlob on your system?
Do you use a wireless router?
Does this occur with IE, Firefox, or both browsers?


Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

[darkmana]

No, I do not believe Zlob appeared in any scans I have performed.

My router is wireless, but this PC is connected via ethernet.

My search results have been redirected in Chrome and Firefox, though it seems sporadic -- I just tested and my results were redirected once, but, performing the same search again, my results were not redirected (in Chrome). I do not recall IE or Opera redirecting my results (they aren't redirecting them right now, either), but I don't use them frequently.

The Vimax ads appear in all above browsers.

lopR.txt:


--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel Pentium III Xeon processor )
BIOS : BIOS Date: 05/26/08 00:51:17 Ver: 08.00.14
USER : Owner ( Administrator )
BOOT : Normal boot
Antivirus : ZoneAlarm Security Suite Antivirus 7.0.483.000 (Not Activated)
Firewall : ZoneAlarm Security Suite Firewall 7.0.483.000 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:31 Go (Free:16 Go)
D:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)
E:\ (Local Disk) - NTFS - Total:433 Go (Free:270 Go)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( Tue 12/02/2008|22:55 )

--------------------\\ Listing folders in APPLIC~1

[10/11/2008|09:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {0151C9FC-719D-4459-B1E2-4685CC6E62A8}
[10/08/2008|05:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {0691F710-1ECA-4B5A-9727-25554F1BFDC6}
[11/24/2008|08:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[10/12/2008|02:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> ATI
[10/12/2008|01:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Creative
[08/16/2008|12:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Creative Labs
[10/28/2008|04:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Fallout3
[08/19/2008|01:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> FLEXnet
[11/14/2008|06:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[08/16/2008|11:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Logitech
[08/16/2008|08:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MailFrontier
[08/17/2008|11:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Messenger Plus!
[11/13/2008|10:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[08/16/2008|08:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[12/02/2008|10:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[08/15/2008|08:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[08/18/2008|01:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WLInstaller

[08/15/2008|04:23] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[08/15/2008|04:23] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[08/15/2008|04:23] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft
[08/16/2008|11:36] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Xfire

[11/25/2008|07:11] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Adobe
[08/15/2008|10:04] C:\DOCUME~1\Owner\APPLIC~1\<DIR> ATI
[08/16/2008|03:29] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Bioshock
[11/19/2008|11:50] C:\DOCUME~1\Owner\APPLIC~1\<DIR> codeblocks
[08/29/2008|08:19] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Creative
[11/24/2008|08:05] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Download Manager
[08/28/2008|07:46] C:\DOCUME~1\Owner\APPLIC~1\<DIR> dvdcss
[10/21/2008|09:33] C:\DOCUME~1\Owner\APPLIC~1\<DIR> FileZilla
[08/15/2008|04:29] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Identities
[08/16/2008|11:36] C:\DOCUME~1\Owner\APPLIC~1\<DIR> InstallShield
[08/16/2008|01:34] C:\DOCUME~1\Owner\APPLIC~1\<DIR> InstallShield Installation Information
[08/15/2008|10:46] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Macromedia
[08/16/2008|08:41] C:\DOCUME~1\Owner\APPLIC~1\<DIR> MailFrontier
[08/17/2008|05:25] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Microsoft
[08/16/2008|06:30] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Microsoft Games
[08/16/2008|08:12] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Mozilla
[08/19/2008|01:32] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Notepad++
[11/09/2008|09:42] C:\DOCUME~1\Owner\APPLIC~1\<DIR> OpenOffice.org2
[08/17/2008|10:52] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Opera
[08/16/2008|02:55] C:\DOCUME~1\Owner\APPLIC~1\<DIR> SecuROM
[09/05/2008|10:02] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Sun
[08/16/2008|08:12] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Talkback
[12/01/2008|06:21] C:\DOCUME~1\Owner\APPLIC~1\<DIR> teamspeak2
[08/16/2008|08:12] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Thunderbird
[12/02/2008|10:55] C:\DOCUME~1\Owner\APPLIC~1\<DIR> uTorrent
[11/11/2008|01:02] C:\DOCUME~1\Owner\APPLIC~1\<DIR> vlc
[08/15/2008|10:30] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Winamp
[12/02/2008|10:40] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Xfire

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[12/02/2008 10:17 PM][--a------] C:\WINDOWS\tasks\GoogleUpdateTaskUser.job
[12/02/2008 06:39 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[02/28/2006 06:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[11/24/2008|08:32] C:\Program Files\<DIR> Adobe
[11/24/2008|08:31] C:\Program Files\<DIR> Adobe Media Player
[08/16/2008|01:23] C:\Program Files\<DIR> AGEIA Technologies
[08/15/2008|09:44] C:\Program Files\<DIR> ASUS
[10/12/2008|02:06] C:\Program Files\<DIR> ATI Technologies
[08/19/2008|01:26] C:\Program Files\<DIR> Bonjour
[12/02/2008|12:13] C:\Program Files\<DIR> Common Files
[08/15/2008|04:21] C:\Program Files\<DIR> ComPlus Applications
[10/12/2008|01:49] C:\Program Files\<DIR> Creative
[08/16/2008|08:22] C:\Program Files\<DIR> Google
[11/28/2008|10:47] C:\Program Files\<DIR> InstallShield Installation Information
[08/15/2008|09:41] C:\Program Files\<DIR> Intel
[10/22/2008|08:13] C:\Program Files\<DIR> Internet Explorer
[10/07/2008|06:56] C:\Program Files\<DIR> Java
[08/16/2008|11:49] C:\Program Files\<DIR> Logitech
[08/15/2008|09:40] C:\Program Files\<DIR> Messenger
[08/15/2008|04:23] C:\Program Files\<DIR> microsoft frontpage
[11/13/2008|10:10] C:\Program Files\<DIR> Microsoft Games for Windows - LIVE
[08/15/2008|09:12] C:\Program Files\<DIR> Movie Maker
[10/28/2008|04:06] C:\Program Files\<DIR> MSBuild
[08/15/2008|04:20] C:\Program Files\<DIR> MSN
[08/15/2008|04:20] C:\Program Files\<DIR> MSN Gaming Zone
[08/18/2008|01:58] C:\Program Files\<DIR> MSN Messenger
[08/15/2008|09:12] C:\Program Files\<DIR> NetMeeting
[08/15/2008|04:20] C:\Program Files\<DIR> Online Services
[08/15/2008|09:12] C:\Program Files\<DIR> Outlook Express
[09/29/2008|09:13] C:\Program Files\<DIR> QuickTime
[08/15/2008|04:40] C:\Program Files\<DIR> Razer
[08/15/2008|09:39] C:\Program Files\<DIR> Realtek
[10/28/2008|04:04] C:\Program Files\<DIR> Reference Assemblies
[10/07/2008|06:57] C:\Program Files\<DIR> Sun
[08/15/2008|04:29] C:\Program Files\<DIR> Uninstall Information
[08/17/2008|11:44] C:\Program Files\<DIR> Windows Live
[10/06/2008|06:27] C:\Program Files\<DIR> Windows Media Connect 2
[10/06/2008|06:27] C:\Program Files\<DIR> Windows Media Player
[08/15/2008|09:12] C:\Program Files\<DIR> Windows NT
[08/15/2008|04:22] C:\Program Files\<DIR> WindowsUpdate
[08/15/2008|04:23] C:\Program Files\<DIR> xerox

--------------------\\ Listing Folders in C:\Program Files\Common Files

[11/24/2008|08:27] C:\Program Files\Common Files\<DIR> Adobe
[11/24/2008|05:42] C:\Program Files\Common Files\<DIR> Adobe AIR
[08/15/2008|10:00] C:\Program Files\Common Files\<DIR> ATI Technologies
[08/18/2008|02:07] C:\Program Files\Common Files\<DIR> BioWare
[10/12/2008|01:45] C:\Program Files\Common Files\<DIR> Blizzard Entertainment
[08/16/2008|12:02] C:\Program Files\Common Files\<DIR> Creative Labs Shared
[08/15/2008|09:43] C:\Program Files\Common Files\<DIR> InstallShield
[09/05/2008|10:02] C:\Program Files\Common Files\<DIR> Java
[08/19/2008|01:22] C:\Program Files\Common Files\<DIR> Macrovision Shared
[08/16/2008|02:53] C:\Program Files\Common Files\<DIR> Microsoft Shared
[08/15/2008|04:21] C:\Program Files\Common Files\<DIR> MSSoap
[08/16/2008|12:10] C:\Program Files\Common Files\<DIR> ODBC
[08/15/2008|04:21] C:\Program Files\Common Files\<DIR> Services
[08/16/2008|12:10] C:\Program Files\Common Files\<DIR> SpeechEngines
[08/15/2008|09:12] C:\Program Files\Common Files\<DIR> System
[08/18/2008|01:58] C:\Program Files\Common Files\<DIR> WindowsLiveInstaller
[11/14/2008|06:22] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 43 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 22:56:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections


No other infections found !

[F:52][D:2]-> C:\DOCUME~1\Owner\LOCALS~1\Temp
[F:31][D:0]-> C:\DOCUME~1\Owner\Cookies
[F:433][D:4]-> C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Tue 12/02/2008|22:51 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - Tue 12/02/2008|22:54 - Option : [1]
3 - "C:\Lop SD\LopR_3.txt" - Tue 12/02/2008|22:56 - Option : [1]

--------------------\\ Scan completed at 22:56:44

[Ried]

Let's see if an online scan reveals anything for us. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[darkmana]

Kaspersky will not update. It downloads and installs, but gets to updating, appears to cycle through several mirrors, and then alerts me with an error. I've tried both Firefox and IE several times.

Quote:

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.

You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Updater logic error related to download process]

[Ried]

See if you can get this one to work for you:

Perform an online scan with Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

[darkmana]

Alright, I managed to scan with Panda ActiveScan which found several infections. I have attached ActiveScan.txt and await further instruction.

[Ried]

Sure are, and from what I see it goes along with your comment about Google Chrome. Clear your Google Chrome cache:

• Click the Tools menu
• Select Clear browsing data
• Select Empty the cache and Delete cookies
• Click Clear browsing data.

Delete the following file:

c:\windows\system32\appsetup.exe


How is it behaving now?

[darkmana]

My search results are not being redirected; ads are still being replaced.

[Ried]

We'll take a look with another tool.

Please download KZTechssuite. Scroll down a bit and click the Local Download button.

1. Extract it to Desktop & double click SREngLdr.exe to run it

2. Look toward the bottom and tick "Verify Digital Signatures".

3. Select 'Smart Scan' &

4. Click on the [Scan] button

5. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it.

You may have to rename SREngLOG.log to SREngLOG.txt to upload it.

[darkmana]

Once again, thank you for the lightning response.

I have attached SREngLOG.txt.

[Ried]

You're welcome, but this time around it will take me some time to go over this log and see if I can find the source.

[Ried]

I'm not seeing any malware there either. Let's go simple and clear out temp and temp internet files as it may be launching from there.

Download ATF Cleaner by Atribune.


Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

[darkmana]

I ran ATF Cleaner and restarted; ads are still being replaced. It did happen to clear up about 30 MB of space, though.