Google Redirect Trojan

Sabathius · 07-08-2009, 07:50 PM

I have the google redirect virus. As the others do, my results get redirected to several different sights. AVG, adaware, and Zonealarm virus and spyware scanners don't catch it. Thanks in advance.

One more thing, and i doubt it's related, whenever i try and boot up in safe mode, i get the blue screen of death. Fixing that would be awesome.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Robert at 20:41:03.06 on Wed 07/08/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1458 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.realfek.com/forums/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\gsf83iujid.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [Lycosa] "c:\program files\razer\lycosa\razerhid.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTXFIREG] CTXFIREG.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\robert\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Trusted Zone: ifilm.com\www
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {ffb3a759-98b1-446f-bda9-909c6eb18cc7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: rtasgvfu76ew8ndkfno94: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\gsf83iujid.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-7 28544]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-7 327688]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-7 27784]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-7 108552]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-5-14 150544]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2006-6-9 120320]
R1 SSHDRV79;SSHDRV79;c:\windows\system32\drivers\SSHDRV79.sys [2006-6-9 75264]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-14 353672]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-7 298776]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2008-10-30 28672]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-11-7 3712]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-8-22 10880]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-8-22 21888]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\printer\center\EKDiscovery.exe [2008-10-10 274432]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-25 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-6-19 18560]
S3 krdpdre;krdpdre;\??\c:\docume~1\robert\locals~1\temp\krdpdre.sys --> c:\docume~1\robert\locals~1\temp\krdpdre.sys [?]

=============== Created Last 30 ================

2009-07-08 18:16 389,120 a------- c:\windows\system32\cmd.execf
2009-07-07 15:00 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-07 15:00 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-07 15:00 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-07 15:00 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-07 15:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-07 14:53 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-07-07 14:53 <DIR> --d----- c:\program files\Panda Security
2009-07-07 12:39 100,940 a------- c:\windows\system32\drivers\8e5a9ecc.sys
2009-07-07 12:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\17044534
2009-07-01 08:56 588 a------- c:\windows\system32\settingsbkup.sfm
2009-07-01 08:56 588 a------- c:\windows\system32\settings.sfm
2009-06-28 16:10 <DIR> --d----- c:\program files\Microsoft WSE
2009-06-28 11:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-06-25 10:03 11,564 a------- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.rfx
2009-06-25 10:02 4,932,886 a------- c:\windows\{00000004-00000000-00000002-00001102-00000004-20061102}.BAK
2009-06-25 10:01 <DIR> --d----- c:\program files\common files\Creative Labs Shared
2009-06-25 10:00 4,932,886 a------- c:\windows\{00000004-00000000-00000002-00001102-00000004-20061102}.CDF
2009-06-25 10:00 30,528 a------- c:\windows\system32\BMXBkpCtrlState-{00000004-00000000-00000002-00001102-00000004-20061102}.rfx
2009-06-25 10:00 384 a------- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-06-22 13:57 189,800 a------- c:\windows\system32\PnkBstrB.exe
2009-06-22 13:57 189,800 a------- c:\windows\system32\PnkBstrB.xtr
2009-06-22 13:57 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-17 20:22 138,608 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-17 19:19 <DIR> --d----- c:\program files\Perfect World Entertainment
2009-06-17 18:40 258,352 a------- c:\windows\system32\unicows.dll
2009-06-09 10:04 <DIR> --d----- c:\program files\DAEMON Tools Pro

==================== Find3M ====================

2009-07-08 18:22 396,524,832 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-08 18:22 4,867,532 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-07 14:04 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-25 10:00 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-06-25 10:00 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-06-21 12:12 3,038 a------- c:\windows\system32\ealregsnapshot1.reg
2009-06-02 07:40 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-05-29 21:20 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-02-03 23:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020320090204\index.dat

============= FINISH: 20:41:28.85 ===============

Sabathius · 07-11-2009, 12:06 PM

no reply bump, 3 days and counting

tetonbob · 07-11-2009, 01:23 PM

Hello, and welcome to the forums.

It seems as though you've tried to run ComboFix on your own.

A Reminder....

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix

Please delete any existing version that you have.

-----------------------------------------------------------------------

Next....

As stated in our pre-posting sticky topic...

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

If you have more than one antivirus software installed, leave only ONE and uninstall the others

While this may seem like greater protection, it can cause problems including slowdowns, system hangs or even crashes. This can happen if both AntiVirus applications attempt to access the same file at the same time. This may cause the applications to interfere with each other, or cause the system to lock up. It can also be a drain on system resources, making a machine run slower than it should.

I see you have more than one Anti-Virus program installed, ZoneAlarm Security Suite and AVG Free 8.5. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

Once you've done that, and not before...

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Download ComboFix from this location:

Link 1

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

You can get help on disabling your protection programs here
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

Sabathius · 07-11-2009, 03:01 PM

first off, i do apologize about the combo-fix. it seems my wife got a tech-savvy friend to come and try and mess with it. She doesn't know how far he got in removing the bug.

here is the log from Combo-fix when i ran it.

ComboFix 09-07-09.08 - Robert 07/11/2009 15:43.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1651 [GMT -5:00]
Running from: c:\documents and settings\Robert\Desktop\Combo-Fix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\2cd2ef1.msi
c:\windows\Installer\46803.msi
c:\windows\Installer\48a447e.msi
c:\windows\Installer\49d9bd2.msi
c:\windows\Installer\8719f8c.msi
c:\windows\Installer\8cb515.msi
c:\windows\Installer\af10319.msi
c:\windows\Installer\ba14b5.msi
c:\windows\patch.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-11 20:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-11 20:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-09 16:39 . 2009-07-09 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-09 16:39 . 2009-07-11 13:53 -------- d-----w- c:\documents and settings\Robert\Application Data\SUPERAntiSpyware.com
2009-07-09 16:39 . 2009-07-11 13:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-09 15:37 . 2009-07-09 15:37 -------- d-----w- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-07-09 15:36 . 2009-07-09 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-07 19:53 . 2009-07-11 13:52 -------- d-----w- c:\program files\Panda Security
2009-07-07 17:39 . 2009-07-07 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\17044534
2009-06-28 21:10 . 2009-06-28 21:10 10134 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-28 21:10 . 2009-06-28 21:10 -------- d-----w- c:\program files\Microsoft WSE
2009-06-28 16:40 . 2009-06-28 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-28 16:40 . 2009-07-08 20:29 -------- d-----w- c:\program files\Electronic Arts
2009-06-25 15:01 . 2009-06-25 15:01 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2009-06-25 15:00 . 2009-06-25 15:00 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-06-22 18:57 . 2009-07-11 19:21 189800 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-22 18:57 . 2009-06-22 18:57 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-18 01:22 . 2009-07-11 18:47 138608 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-18 01:20 . 2009-06-22 18:57 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\PunkBuster
2009-06-18 00:19 . 2009-06-21 22:23 -------- d-----w- c:\program files\Perfect World Entertainment
2009-06-17 23:40 . 2005-05-10 23:54 258352 ----a-w- c:\windows\system32\unicows.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 20:52 . 2009-05-15 00:14 451607328 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-11 20:47 . 2009-05-15 00:14 6048476 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-11 18:47 . 2008-08-09 14:28 -------- d-----w- c:\program files\Steam
2009-07-11 13:53 . 2008-04-24 21:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-08 23:28 . 2009-07-08 23:28 128191 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_07_08_18_21_55_small.dmp.zip
2009-07-08 23:21 . 2009-07-08 23:23 1620992 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-07-08 23:21 . 2009-07-08 23:23 3085312 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2009-07-08 20:29 . 2005-06-13 18:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-08 20:27 . 2009-02-01 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-07-07 19:32 . 2009-07-07 19:33 1416704 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-07-07 19:32 . 2009-07-07 19:33 49664 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-07-07 19:04 . 2005-06-16 04:10 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-07-07 18:57 . 2009-07-07 19:01 2669056 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-07-07 18:57 . 2009-07-07 19:01 13824 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-07-07 18:56 . 2009-07-07 18:57 2672640 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-07-07 18:56 . 2009-07-07 18:57 416768 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-07-07 18:50 . 2009-07-07 18:53 3099136 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-07-07 18:50 . 2009-07-07 18:53 2672640 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-07-07 18:46 . 2009-07-07 19:01 2668544 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-06-25 15:00 . 2009-03-15 04:00 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-06-25 15:00 . 2005-12-08 17:12 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-06-25 15:00 . 2005-12-08 17:08 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-25 15:00 . 2005-06-16 00:01 -------- d-----w- c:\documents and settings\Robert\Application Data\Creative
2009-06-22 00:00 . 2009-06-09 15:04 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-06-21 17:16 . 2005-06-13 18:47 -------- d-----w- c:\program files\Intel
2009-06-21 17:16 . 2008-12-25 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2009-06-21 17:12 . 2008-09-08 19:05 3038 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-21 17:09 . 2005-06-13 18:47 -------- d-----w- c:\program files\Dell
2009-06-21 17:08 . 2005-09-07 03:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-21 16:51 . 2009-06-21 17:06 611328 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-06-21 16:51 . 2009-06-21 17:06 2521088 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-06-21 13:12 . 2009-06-21 13:14 2505728 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-06-21 00:32 . 2009-03-25 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-06-20 20:49 . 2009-06-20 20:57 99840 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-06-20 20:49 . 2009-06-20 20:57 2449920 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-06-20 17:48 . 2009-06-20 17:50 2416128 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-06-20 17:48 . 2009-06-20 17:50 3629056 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-19 12:29 . 2009-06-19 12:36 2405888 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-08 20:23 . 2009-06-08 20:23 1878984 ----a-w- c:\documents and settings\Robert\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-07 12:26 . 2007-12-15 03:02 -------- d-----w- c:\program files\World of Warcraft
2009-06-02 12:40 . 2009-06-02 12:40 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-05-30 02:38 . 2009-05-30 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Stardock
2009-05-30 02:34 . 2007-12-10 17:24 -------- d-----w- c:\documents and settings\Robert\Application Data\DAEMON Tools Pro
2009-05-30 02:20 . 2006-01-15 03:51 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-29 04:39 . 2005-06-16 00:20 100480 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 21:31 . 2009-01-25 00:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-28 21:30 . 2009-05-28 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 20:10 . 2009-05-15 00:17 -------- d-----w- c:\documents and settings\Robert\Application Data\MailFrontier
2009-05-27 18:01 . 2009-05-27 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-27 18:00 . 2009-05-27 18:00 -------- d-----w- c:\program files\Microsoft Works
2009-05-27 18:00 . 2009-02-03 13:16 -------- d-----w- c:\program files\MSBuild
2009-05-27 17:59 . 2009-05-27 17:59 -------- d-----w- c:\program files\Microsoft.NET
2009-05-27 17:57 . 2009-05-27 17:57 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-05-22 02:49 . 2009-02-19 15:53 -------- d-----w- c:\program files\Microsoft Games
2009-05-17 15:54 . 2005-06-22 19:15 -------- d-----w- c:\program files\mIRC
2009-05-17 02:54 . 2009-05-17 02:54 -------- d-----w- c:\program files\SonicWallES
2009-05-15 00:10 . 2009-05-15 00:10 -------- d-----w- c:\program files\Zone Labs
2009-05-13 13:23 . 2009-05-13 12:56 25 ----a-w- c:\windows\popcinfot.dat
2009-05-13 12:56 . 2009-05-13 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-04-24 10:54 . 2009-04-24 10:53 46189214 ----a-w- c:\windows\Internet Logs\iexplore_2nd_2009_04_23_16_24_50_full.dmp.zip
2009-04-24 10:53 . 2009-04-24 10:53 131117 ----a-w- c:\windows\Internet Logs\iexplore_2nd_2009_04_23_16_24_44_small.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-05-07 159744]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-04-01 982408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2009-02-09 1657376]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\SYSTEM32\CTXFIHLP.EXE [2006-08-11 18944]
"CTXFIREG"="CTXFIREG.EXE" - c:\windows\SYSTEM32\CTXFIREG.EXE [2006-08-11 42496]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CtHelper.exe [2009-03-04 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 05:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^robert^start menu^programs^startup^ihaupd32.exe]
path=c:\documents and settings\Robert\Start Menu\Programs\Startup\ihaupd32.exe
backup=c:\windows\pss\ihaupd32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Robert^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Robert\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKLM\~\startupfolder\c:^documents and settings^robert^start menu^programs^startup^zqosys32.exe]
path=c:\documents and settings\Robert\Start Menu\Programs\Startup\zqosys32.exe
backup=c:\windows\pss\zqosys32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war gold\\W40k.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war gold\\W40kWA.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty 4\\iw3sp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty 4\\iw3mp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war soulstorm\\soulstorm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"9323:TCP"= 9323:TCP:EKDiscovery

R1 SSHDRV65;SSHDRV65;c:\windows\SYSTEM32\DRIVERS\SSHDRV65.sys [6/9/2006 12:13 PM 120320]
R1 SSHDRV79;SSHDRV79;c:\windows\SYSTEM32\DRIVERS\SSHDRV79.sys [6/9/2006 12:30 PM 75264]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [10/30/2008 10:58 AM 28672]
R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [11/7/2006 12:49 PM 3712]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [3/4/2009 2:42 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\SYSTEM32\DRIVERS\dadder.sys [8/22/2008 7:56 PM 10880]
R3 LycoFltr;Lycosa Keyboard;c:\windows\SYSTEM32\DRIVERS\Lycosa.sys [8/22/2008 8:01 PM 21888]
S1 8e5a9ecc;8e5a9ecc;c:\windows\system32\drivers\8e5a9ecc.sys --> c:\windows\system32\drivers\8e5a9ecc.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe [10/10/2008 12:33 PM 274432]
S3 COMMONFX;COMMONFX;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [3/4/2009 2:42 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/25/2009 10:01 AM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
S3 FlyUsb;FLY Fusion;c:\windows\SYSTEM32\DRIVERS\FlyUsb.sys [6/19/2007 2:21 AM 18560]
S3 krdpdre;krdpdre;\??\c:\docume~1\Robert\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Robert\LOCALS~1\Temp\krdpdre.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.realfek.com/forums/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Robert\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: ifilm.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 15:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-513841094-953599521-1894694129-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-513841094-953599521-1894694129-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:28,ab,b3,f4,79,b1,a3,8f,07,9f,d2,c8,27,28,e1,66,6a,92,92,2d,33,0e,18,
93,0e,d3,68,51,9c,09,9b,2c,9b,64,e4,b5,8e,4f,24,3f,50,7c,54,72,28,c6,07,fe,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-513841094-953599521-1894694129-1006\Software\SecuROM\License information*]
"datasecu"=hex:e4,ef,79,85,04,75,c9,9b,a9,80,01,75,68,aa,5e,21,73,50,fc,8a,fd,
06,9a,a3,b7,bd,75,2f,d3,37,f9,b0,3f,cb,bc,aa,2f,8d,81,d9,20,56,b8,e6,24,f8,\
"rkeysecu"=hex:cb,29,e8,51,97,f7,2f,ae,2e,68,7c,23,f7,d7,11,fe
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(1188)
c:\windows\system32\ctagent.dll
c:\windows\system32\hnetcfg.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Razer\DeathAdder\razertra.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\program files\Razer\Lycosa\razertra.exe
.
**************************************************************************
.
Completion time: 2009-07-11 15:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-11 20:57

Pre-Run: 133,076,172,800 bytes free
Post-Run: 133,457,670,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /noguiboot

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
290 --- E O F --- 2007-10-10 14:19

tetonbob · 07-11-2009, 05:56 PM

While I'm sure the friend was well intentioned, only those trained in it's use should be advising others to employ ComboFix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Quote:

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

It's important to disable real time scanners before using ComboFix.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/393066-google-redirect-trojan.html#post2234830
File::
c:\windows\pss\zqosys32.exeStartup
c:\windows\pss\ihaupd32.exeStartup
Driver::
krdpdre
8e5a9ecc
Registry::
[-HKLM\~\startupfolder\c:^documents and settings^robert^start menu^programs^startup^zqosys32.exe]
[-HKLM\~\startupfolder\c:^documents and settings^robert^start menu^programs^startup^ihaupd32.exe]
DirLook::
c:\documents and settings\All Users\Application Data\17044534
Collect::
c:\windows\system32\drivers\8e5a9ecc.sys
c:\documents and settings\Robert\Start Menu\Programs\Startup\zqosys32.exe
c:\documents and settings\Robert\Start Menu\Programs\Startup\ihaupd32.exe
Comment::
End Copy Here

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Please let me know if the file was successfully submitted . Thanks.

------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

Sabathius · 07-11-2009, 10:08 PM

I right clicked in the system tray and disabled Zone Alarm. After running Combofix as instructed, it informed me that the virus scanner in Zone Alarm is still on. I restarted Zone Alarm, disabled the virus scanner in the Zone Alarm program window, and exited Zone Alarm again. Windows security center still shows my virus scanner still active. Is there a program in the task manager that needs to be disabled, as the only thing left in my system tray is volume, and windows security.

I am now sitting here with the combofix warning window up saying it detected the virus scanner on. I don't want to proceed without the scanner down.

tetonbob · 07-11-2009, 10:25 PM

There should be some sort of setting on advanced options of the ZA antivirus/antispyware tab to disable real-time scanning. We made it through the first run with whatever you did, so repeat what you did for that run.

It's possible that if you disabled the application after the run of ComboFix began, it may still tell you ZA is enabled.

If you've turned off the AntiVirus from the Antivirus/spyware tab in the program's main window, you should be fine.

Edit:

I just installed a trial version of ZA Security Suite, and all I needed to do was right click, and choose Shut down ZoneAlarm Security Suite, and ComboFix was happy. That said, it would be better to disable the AntiVirus protection from the Antivirus/spyware tab in the program's main window, since it will remain disabled after a reboot that way.

Sabathius · 07-12-2009, 05:58 AM

Okay, i clicked okay and the screen blinked, and it says there's a newer version of Combofix available, do I wish to download.

tetonbob · 07-12-2009, 09:45 AM

Has ComboFix just been sitting there waiting for you all this time? You didn't close it or shut down the machine, did you??

Please allow it if you've not already.

Sabathius · 07-12-2009, 10:18 AM

Combo fix has finished. The only window that i saw popup was windows explorer having an error. I didn't see anything about a report being submitted.

I didn't close down combofix, and figured the best thing to do while i waited an answer last night was to leave it as it was. I hadn't done anything except warn me that my virus scanner was up. I did enable the firewall when i went to bed and disabled it when I clicked okay for CF to run again this morning.

Here is the log.

ComboFix 09-07-11.02 - Robert 07/12/2009 10:55.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1552 [GMT -5:00]
Running from: c:\documents and settings\Robert\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Robert\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\pss\ihaupd32.exeStartup"
"c:\windows\pss\zqosys32.exeStartup"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KRDPDRE
-------\Service_8e5a9ecc
-------\Service_krdpdre

((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-11 20:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-11 20:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-09 16:39 . 2009-07-09 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-09 16:39 . 2009-07-11 13:53 -------- d-----w- c:\documents and settings\Robert\Application Data\SUPERAntiSpyware.com
2009-07-09 16:39 . 2009-07-11 13:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-09 15:37 . 2009-07-09 15:37 -------- d-----w- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-07-09 15:36 . 2009-07-09 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-07 19:53 . 2009-07-11 13:52 -------- d-----w- c:\program files\Panda Security
2009-07-07 17:39 . 2009-07-07 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\17044534
2009-06-28 21:10 . 2009-06-28 21:10 10134 ----a-r- c:\documents and settings\Robert\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-28 21:10 . 2009-06-28 21:10 -------- d-----w- c:\program files\Microsoft WSE
2009-06-28 16:40 . 2009-06-28 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-28 16:40 . 2009-07-08 20:29 -------- d-----w- c:\program files\Electronic Arts
2009-06-25 15:01 . 2009-06-25 15:01 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2009-06-25 15:00 . 2009-06-25 15:00 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-06-22 18:57 . 2009-07-12 15:05 189800 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-22 18:57 . 2009-06-22 18:57 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-18 01:22 . 2009-07-12 13:32 138608 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-18 01:20 . 2009-06-22 18:57 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\PunkBuster
2009-06-18 00:19 . 2009-06-21 22:23 -------- d-----w- c:\program files\Perfect World Entertainment
2009-06-17 23:40 . 2005-05-10 23:54 258352 ----a-w- c:\windows\system32\unicows.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 16:08 . 2009-05-15 00:14 456734240 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-12 16:03 . 2009-05-15 00:14 6116852 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-12 13:31 . 2008-08-09 14:28 -------- d-----w- c:\program files\Steam
2009-07-11 13:53 . 2008-04-24 21:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-08 23:28 . 2009-07-08 23:28 128191 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_07_08_18_21_55_small.dmp.zip
2009-07-08 23:21 . 2009-07-08 23:23 1620992 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-07-08 23:21 . 2009-07-08 23:23 3085312 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2009-07-08 20:29 . 2005-06-13 18:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-08 20:27 . 2009-02-01 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-07-07 19:32 . 2009-07-07 19:33 1416704 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-07-07 19:32 . 2009-07-07 19:33 49664 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-07-07 19:04 . 2005-06-16 04:10 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-07-07 18:57 . 2009-07-07 19:01 2669056 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-07-07 18:57 . 2009-07-07 19:01 13824 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-07-07 18:56 . 2009-07-07 18:57 2672640 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-07-07 18:56 . 2009-07-07 18:57 416768 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-07-07 18:50 . 2009-07-07 18:53 3099136 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-07-07 18:50 . 2009-07-07 18:53 2672640 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-07-07 18:46 . 2009-07-07 19:01 2668544 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-06-25 15:00 . 2009-03-15 04:00 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-06-25 15:00 . 2005-12-08 17:12 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-06-25 15:00 . 2005-12-08 17:08 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-25 15:00 . 2005-06-16 00:01 -------- d-----w- c:\documents and settings\Robert\Application Data\Creative
2009-06-22 00:00 . 2009-06-09 15:04 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-06-21 17:16 . 2005-06-13 18:47 -------- d-----w- c:\program files\Intel
2009-06-21 17:16 . 2008-12-25 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2009-06-21 17:12 . 2008-09-08 19:05 3038 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-21 17:09 . 2005-06-13 18:47 -------- d-----w- c:\program files\Dell
2009-06-21 17:08 . 2005-09-07 03:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-21 16:51 . 2009-06-21 17:06 611328 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-06-21 16:51 . 2009-06-21 17:06 2521088 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-06-21 13:12 . 2009-06-21 13:14 2505728 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-06-21 00:32 . 2009-03-25 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-06-20 20:49 . 2009-06-20 20:57 99840 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-06-20 20:49 . 2009-06-20 20:57 2449920 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-06-20 17:48 . 2009-06-20 17:50 2416128 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-06-20 17:48 . 2009-06-20 17:50 3629056 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-19 12:29 . 2009-06-19 12:36 2405888 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-08 20:23 . 2009-06-08 20:23 1878984 ----a-w- c:\documents and settings\Robert\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-07 12:26 . 2007-12-15 03:02 -------- d-----w- c:\program files\World of Warcraft
2009-06-02 12:40 . 2009-06-02 12:40 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-05-30 02:38 . 2009-05-30 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Stardock
2009-05-30 02:34 . 2007-12-10 17:24 -------- d-----w- c:\documents and settings\Robert\Application Data\DAEMON Tools Pro
2009-05-30 02:20 . 2006-01-15 03:51 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-29 04:39 . 2005-06-16 00:20 100480 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 21:31 . 2009-01-25 00:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-28 21:30 . 2009-05-28 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 20:10 . 2009-05-15 00:17 -------- d-----w- c:\documents and settings\Robert\Application Data\MailFrontier
2009-05-27 18:01 . 2009-05-27 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-27 18:00 . 2009-05-27 18:00 -------- d-----w- c:\program files\Microsoft Works
2009-05-27 18:00 . 2009-02-03 13:16 -------- d-----w- c:\program files\MSBuild
2009-05-27 17:59 . 2009-05-27 17:59 -------- d-----w- c:\program files\Microsoft.NET
2009-05-27 17:57 . 2009-05-27 17:57 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-05-22 02:49 . 2009-02-19 15:53 -------- d-----w- c:\program files\Microsoft Games
2009-05-17 15:54 . 2005-06-22 19:15 -------- d-----w- c:\program files\mIRC
2009-05-17 02:54 . 2009-05-17 02:54 -------- d-----w- c:\program files\SonicWallES
2009-05-15 00:10 . 2009-05-15 00:10 -------- d-----w- c:\program files\Zone Labs
2009-05-13 13:23 . 2009-05-13 12:56 25 ----a-w- c:\windows\popcinfot.dat
2009-04-24 10:54 . 2009-04-24 10:53 46189214 ----a-w- c:\windows\Internet Logs\iexplore_2nd_2009_04_23_16_24_50_full.dmp.zip
2009-04-24 10:53 . 2009-04-24 10:53 131117 ----a-w- c:\windows\Internet Logs\iexplore_2nd_2009_04_23_16_24_44_small.dmp.zip
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\17044534 ----

2009-07-07 17:39 . 2009-07-07 18:53 56 ----a-w- c:\documents and settings\All Users\Application Data\17044534\17044534

((((((((((((((((((((((((((((( SnapShot@2009-07-11_20.51.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-15 00:14 . 2009-07-12 11:56 643844 c:\windows\SYSTEM32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-05-15 00:14 . 2009-07-11 20:38 643844 c:\windows\SYSTEM32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-05-07 159744]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-04-01 982408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2009-02-09 1657376]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\SYSTEM32\CTXFIHLP.EXE [2006-08-11 18944]
"CTXFIREG"="CTXFIREG.EXE" - c:\windows\SYSTEM32\CTXFIREG.EXE [2006-08-11 42496]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CtHelper.exe [2009-03-04 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 05:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Robert^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Robert\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war gold\\W40k.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war gold\\W40kWA.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty 4\\iw3sp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty 4\\iw3mp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war soulstorm\\soulstorm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"9323:TCP"= 9323:TCP:EKDiscovery

R1 SSHDRV65;SSHDRV65;c:\windows\SYSTEM32\DRIVERS\SSHDRV65.sys [6/9/2006 12:13 PM 120320]
R1 SSHDRV79;SSHDRV79;c:\windows\SYSTEM32\DRIVERS\SSHDRV79.sys [6/9/2006 12:30 PM 75264]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [10/30/2008 10:58 AM 28672]
R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [11/7/2006 12:49 PM 3712]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [3/4/2009 2:42 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\SYSTEM32\DRIVERS\dadder.sys [8/22/2008 7:56 PM 10880]
R3 LycoFltr;Lycosa Keyboard;c:\windows\SYSTEM32\DRIVERS\Lycosa.sys [8/22/2008 8:01 PM 21888]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe [10/10/2008 12:33 PM 274432]
S3 COMMONFX;COMMONFX;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [3/4/2009 2:42 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/25/2009 10:01 AM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
S3 FlyUsb;FLY Fusion;c:\windows\SYSTEM32\DRIVERS\FlyUsb.sys [6/19/2007 2:21 AM 18560]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.realfek.com/forums/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Robert\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: ifilm.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 11:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-513841094-953599521-1894694129-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-513841094-953599521-1894694129-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:28,ab,b3,f4,79,b1,a3,8f,07,9f,d2,c8,27,28,e1,66,6a,92,92,2d,33,0e,18,
93,0e,d3,68,51,9c,09,9b,2c,9b,64,e4,b5,8e,4f,24,3f,50,7c,54,72,28,c6,07,fe,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-513841094-953599521-1894694129-1006\Software\SecuROM\License information*]
"datasecu"=hex:e4,ef,79,85,04,75,c9,9b,a9,80,01,75,68,aa,5e,21,73,50,fc,8a,fd,
06,9a,a3,b7,bd,75,2f,d3,37,f9,b0,3f,cb,bc,aa,2f,8d,81,d9,20,56,b8,e6,24,f8,\
"rkeysecu"=hex:cb,29,e8,51,97,f7,2f,ae,2e,68,7c,23,f7,d7,11,fe
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\hnetcfg.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\windows\SYSTEM32\PnkBstrB.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-12 11:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-12 16:12
ComboFix2.txt 2009-07-11 20:57

Pre-Run: 133,362,614,272 bytes free
Post-Run: 133,358,059,520 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
271 --- E O F --- 2007-10-10 14:19

tetonbob · 07-12-2009, 10:33 AM

OK, that's fine, looks like the files targeted were not present, so there'd be no message box.

I see you have Malwarebytes' AntiMalware installed.

Please update it's definitions, and run a new Quick Scan.

Launch Malwarebytes' Antimalware
On the updates tab, click on Check for Updates
If an update is found, it will begin. Once the update is complete..
Click on the Scanner tab. Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Sabathius · 07-12-2009, 10:48 AM

Scan run, that was the program the friend of my wife installed, along with CF. There's a log of what he scanned, if you need that.

I sincerely hope i haven't been wasting your time.

Here's what I just scanned.

Malwarebytes' Anti-Malware 1.38
Database version: 2412
Windows 5.1.2600 Service Pack 3

7/12/2009 11:45:04 AM
mbam-log-2009-07-12 (11-45-04).txt

Scan type: Quick Scan
Objects scanned: 104324
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

tetonbob · 07-12-2009, 11:05 AM

Hi, you're not wasting my time at all. This is why we're here.

Latest Mbam log is clean, that's a good thing.

Please run this online scan to help look for remnants

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

Sabathius · 07-12-2009, 04:50 PM

When Max (wife's friend )ran MBam the first time, the log that it saved shows 33 infected items, all successfully deleted.

From what i can see, my pc is behaving normally again. I haven't tested if it bluescreens going to safe mode or not. I assume that's a problem with the safe mode drivers. The google redirect and the popups are gone.

Here's the ESET log.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16762 (vista_gdr.081013-1507)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=8fdfd94de2b8444c868bc2b237a76b88
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-12 07:13:56
# local_time=2009-07-12 02:13:56 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=111033
# found=1
# cleaned=0
# scan_time=6304
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=6
# iexplore.exe=7.00.6000.16762 (vista_gdr.081013-1507)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=8fdfd94de2b8444c868bc2b237a76b88
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-12 10:44:14
# local_time=2009-07-12 05:44:14 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=112391
# found=1
# cleaned=0
# scan_time=9567
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I

tetonbob · 07-12-2009, 05:01 PM

Safe Mode issues may have been due to the infection which was present. Please try it now, and let me know. If it BSOD's, please provide the error message. To ensure a STOP error is viewable, ensure you've disabled auto-restart on System Failure

AutoRestart on System Failure

Go to Start >> Run - type or copy/paste control sysdm.cpl,,3 & press Enter

Under Startup and Recovery, Click Settings
Under System Failure, Uncheck Automatically Restart

I'd also like to see the MBAM log which shows the removals, thanks.

Sabathius · 07-12-2009, 05:16 PM

The safe mode issue has been fixed, no BSOD.

Here's the original log from MBam

Malwarebytes' Anti-Malware 1.38
Database version: 2398
Windows 5.1.2600 Service Pack 3

7/9/2009 11:24:33 AM
mbam-log-2009-07-09 (11-24-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 209295
Time elapsed: 45 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{674de1aa-facf-47a5-a4cf-9ef05f9a1b2a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{46c166aa-3108-11d4-9348-00c04f8eeb71}\inprocserver32\(default) (Hijack.Hnetcfg) -> Bad: (\\?\globalroot\systemroot\installer\8719f8c.msi) Good: (hnetcfg.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\pss\ihaupd32.exeStartup (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\DRIVERS\8e5a9ecc.sys (Rootkit.Agent) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\WBEM\proquota.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.

tetonbob · 07-12-2009, 06:33 PM

Great, glad to hear the Safe Mode issue is resolved. That should just about take care of things.

About the file found by Eset, I've read differing reports, some suggesting it has something to do with a Dell Support application, others say it's adware.

I'd like to have a look at the file, please.

Please visit this site:

http://www.bleepingcomputer.com/subm...php?channel=28
In the Browse to the file you want to submit: area, copy and paste this

C:\I386\GTDownDE_87.ocx
Then click Send File.
Once it shows:

Quote:

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Close the site and let me know.

Sabathius · 07-12-2009, 06:38 PM

file sent

tetonbob · 07-12-2009, 07:04 PM

16/41 vendors say it's adware.

http://www.virustotal.com/analisis/5...979-1247446700

I would delete it.

Using Windows Explorer, or Windows Search, locate and delete the following:

C:\I386\GTDownDE_87.ocx

---------------------------------------------------------------------------------------------

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disconnect from the internet and disable your AntiVirus temporarily.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Sabathius · 07-12-2009, 08:10 PM

deleted the file

Thanks for the help tetonbob. Much appreciated.

07-11-2009, 12:06 PM	#2 (permalink)
Sabathius Registered User Join Date: Jul 2009 Posts: 11 OS: xp	Re: Google Redirect Trojan no reply bump, 3 days and counting

07-11-2009, 10:08 PM	#6 (permalink)
Sabathius Registered User Join Date: Jul 2009 Posts: 11 OS: xp	Re: Google Redirect Trojan I right clicked in the system tray and disabled Zone Alarm. After running Combofix as instructed, it informed me that the virus scanner in Zone Alarm is still on. I restarted Zone Alarm, disabled the virus scanner in the Zone Alarm program window, and exited Zone Alarm again. Windows security center still shows my virus scanner still active. Is there a program in the task manager that needs to be disabled, as the only thing left in my system tray is volume, and windows security. I am now sitting here with the combofix warning window up saying it detected the virus scanner on. I don't want to proceed without the scanner down. Last edited by Sabathius; 07-11-2009 at 10:10 PM.

07-11-2009, 10:25 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Google Redirect Trojan There should be some sort of setting on advanced options of the ZA antivirus/antispyware tab to disable real-time scanning. We made it through the first run with whatever you did, so repeat what you did for that run. It's possible that if you disabled the application after the run of ComboFix began, it may still tell you ZA is enabled. If you've turned off the AntiVirus from the Antivirus/spyware tab in the program's main window, you should be fine. Edit: I just installed a trial version of ZA Security Suite, and all I needed to do was right click, and choose Shut down ZoneAlarm Security Suite, and ComboFix was happy. That said, it would be better to disable the AntiVirus protection from the Antivirus/spyware tab in the program's main window, since it will remain disabled after a reboot that way. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 07-11-2009 at 11:30 PM. Reason: added info

07-12-2009, 05:58 AM	#8 (permalink)
Sabathius Registered User Join Date: Jul 2009 Posts: 11 OS: xp	Re: Google Redirect Trojan Okay, i clicked okay and the screen blinked, and it says there's a newer version of Combofix available, do I wish to download.

07-12-2009, 09:45 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Google Redirect Trojan Has ComboFix just been sitting there waiting for you all this time? You didn't close it or shut down the machine, did you?? Please allow it if you've not already. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-12-2009, 10:33 AM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Google Redirect Trojan OK, that's fine, looks like the files targeted were not present, so there'd be no message box. I see you have Malwarebytes' AntiMalware installed. Please update it's definitions, and run a new Quick Scan. Launch Malwarebytes' Antimalware On the updates tab, click on Check for Updates If an update is found, it will begin. Once the update is complete.. Click on the Scanner tab. Select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-12-2009, 10:48 AM	#12 (permalink)
Sabathius Registered User Join Date: Jul 2009 Posts: 11 OS: xp	Re: Google Redirect Trojan Scan run, that was the program the friend of my wife installed, along with CF. There's a log of what he scanned, if you need that. I sincerely hope i haven't been wasting your time. Here's what I just scanned. Malwarebytes' Anti-Malware 1.38 Database version: 2412 Windows 5.1.2600 Service Pack 3 7/12/2009 11:45:04 AM mbam-log-2009-07-12 (11-45-04).txt Scan type: Quick Scan Objects scanned: 104324 Time elapsed: 3 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

07-12-2009, 11:05 AM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Google Redirect Trojan Hi, you're not wasting my time at all. This is why we're here. Latest Mbam log is clean, that's a good thing. Please run this online scan to help look for remnants Go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt Copy and paste that log as a reply to this topic and also let me know how things are now. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-12-2009, 04:50 PM	#14 (permalink)
Sabathius Registered User Join Date: Jul 2009 Posts: 11 OS: xp	Re: Google Redirect Trojan When Max (wife's friend )ran MBam the first time, the log that it saved shows 33 infected items, all successfully deleted. From what i can see, my pc is behaving normally again. I haven't tested if it bluescreens going to safe mode or not. I assume that's a problem with the safe mode drivers. The google redirect and the popups are gone. Here's the ESET log. ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # iexplore.exe=7.00.6000.16762 (vista_gdr.081013-1507) # OnlineScanner.ocx=1.0.0.5886 # api_version=3.0.2 # EOSSerial=8fdfd94de2b8444c868bc2b237a76b88 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-07-12 07:13:56 # local_time=2009-07-12 02:13:56 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # scanned=111033 # found=1 # cleaned=0 # scan_time=6304 C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I esets_scanner_update returned -1 esets_gle=53251 # version=6 # iexplore.exe=7.00.6000.16762 (vista_gdr.081013-1507) # OnlineScanner.ocx=1.0.0.5886 # api_version=3.0.2 # EOSSerial=8fdfd94de2b8444c868bc2b237a76b88 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-07-12 10:44:14 # local_time=2009-07-12 05:44:14 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # scanned=112391 # found=1 # cleaned=0 # scan_time=9567 C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I

07-12-2009, 05:01 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Google Redirect Trojan Safe Mode issues may have been due to the infection which was present. Please try it now, and let me know. If it BSOD's, please provide the error message. To ensure a STOP error is viewable, ensure you've disabled auto-restart on System Failure AutoRestart on System Failure Go to Start >> Run - type or copy/paste control sysdm.cpl,,3 & press Enter Under Startup and Recovery, Click Settings Under System Failure, Uncheck Automatically Restart I'd also like to see the MBAM log which shows the removals, thanks. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-12-2009, 05:16 PM	#16 (permalink)
Sabathius Registered User Join Date: Jul 2009 Posts: 11 OS: xp	Re: Google Redirect Trojan The safe mode issue has been fixed, no BSOD. Here's the original log from MBam Malwarebytes' Anti-Malware 1.38 Database version: 2398 Windows 5.1.2600 Service Pack 3 7/9/2009 11:24:33 AM mbam-log-2009-07-09 (11-24-33).txt Scan type: Full Scan (C:\\|) Objects scanned: 209295 Time elapsed: 45 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 20 Registry Values Infected: 3 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{674de1aa-facf-47a5-a4cf-9ef05f9a1b2a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{46c166aa-3108-11d4-9348-00c04f8eeb71}\inprocserver32\(default) (Hijack.Hnetcfg) -> Bad: (\\?\globalroot\systemroot\installer\8719f8c.msi) Good: (hnetcfg.dll) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\pss\ihaupd32.exeStartup (Trojan.Backdoor) -> Quarantined and deleted successfully. c:\WINDOWS\SYSTEM32\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully. c:\WINDOWS\SYSTEM32\DRIVERS\8e5a9ecc.sys (Rootkit.Agent) -> Delete on reboot. c:\WINDOWS\SYSTEM32\WBEM\proquota.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.

07-12-2009, 06:38 PM	#18 (permalink)
Sabathius Registered User Join Date: Jul 2009 Posts: 11 OS: xp	Re: Google Redirect Trojan file sent

07-12-2009, 07:04 PM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Google Redirect Trojan 16/41 vendors say it's adware. http://www.virustotal.com/analisis/5...979-1247446700 I would delete it. Using Windows Explorer, or Windows Search, locate and delete the following: C:\I386\GTDownDE_87.ocx --------------------------------------------------------------------------------------------- Other than that....We should be done here. Some final housekeeping instructions, and protection information for you. Your logs appear clean.You should be good to go. We still have a few items to address. Disconnect from the internet and disable your AntiVirus temporarily. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Re-enable your AntiVirus now. Reconnect to the internet at your leisure. Delete any remaining tools we've used (DDS and GMER) and logs from them. Empty your Recycle Bin. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE. Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-12-2009, 08:10 PM	#20 (permalink)
Sabathius Registered User Join Date: Jul 2009 Posts: 11 OS: xp	Re: Google Redirect Trojan deleted the file Thanks for the help tetonbob. Much appreciated.