Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus On Ie Search Results


  • Please log in to reply
1 reply to this topic

#1 Tombaylor

Tombaylor

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 16 February 2008 - 05:09 PM

Please help!!!! My name is Thomas and I have done everything I know how to do with running combofix and trying different spyware and anti virus to solve my issue. It appears I am still stuck with a virus that once you run a search on Yahoo or google and click on one of the search results you get taken to a different page. I really need help here and I am new to the site so I am not sure what I need to include on here to get the assistance I need. Please anyone help me. :thumbsup:

Here is my log after running combofix.

ComboFix 08-02-15.1 - BigT 2008-02-15 21:28:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703 [GMT -6:00]
Running from: C:\Documents and Settings\BigT\Local Settings\Temporary Internet Files\Content.IE5\K3TE9GPW\Combo-Fix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\desktopA.sys
C:\WINDOWS\system32\instsrv.exe
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 19:41 . 2008-02-15 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-15 19:40 . 2008-02-15 20:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-15 19:40 . 2008-02-15 19:40 <DIR> d-------- C:\Documents and Settings\BigT\Application Data\SUPERAntiSpyware.com
2008-02-15 17:54 . 2008-02-15 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 09:41 . 2008-02-14 09:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-14 09:41 . 2008-02-15 21:13 <DIR> d-------- C:\Documents and Settings\BigT\Application Data\AVG7
2008-02-14 09:41 . 2008-02-14 09:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-14 09:41 . 2008-02-14 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-14 09:25 . 2008-02-15 18:16 <DIR> d-------- C:\Program Files\AntiVirusPro
2008-02-14 09:25 . 2008-02-14 09:25 <DIR> d-------- C:\Documents and Settings\BigT\Application Data\Anti-Virus-Pro.com
2008-01-28 15:12 . 2008-01-28 15:12 <DIR> d-------- C:\Documents and Settings\BigT\Application Data\eFax Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 03:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-02-16 01:59 --------- d-----w C:\Program Files\SearchRelevant
2008-02-16 01:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 23:54 --------- d-----w C:\Program Files\Lavasoft
2008-02-14 14:50 --------- d-----w C:\Documents and Settings\BigT\Application Data\AdobeUM
2008-02-14 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-31 04:41 --------- d-----w C:\Documents and Settings\BigT\Application Data\Picaboo
2007-12-31 04:40 --------- d-----w C:\Program Files\Picaboo
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2006-05-15 18:54 17,920 ----a-w C:\Documents and Settings\BigT\Application Data\GDIPFONTCACHEV1.DAT
2004-09-09 21:55 0 ---ha-w C:\Documents and Settings\Chad\hpothb07.dat
2004-08-23 18:30 0 ---ha-w C:\Documents and Settings\BigT\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-09-01 10:26 66672]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 18:34 3084288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 18:44 1200128]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-25 15:04 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 20:10 339968]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 04:50 155648]
"inad"="C:\WINDOWS\inad.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-26 22:46 77824]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18 101888]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [2005-12-16 15:19 1103520]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 07:21 823296]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2006-06-20 10:32 94208]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-14 09:41 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-14 09:41 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-05 23:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


.
Contents of the 'Scheduled Tasks' folder
"2004-09-24 15:07:24 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1087915009.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-02-15 07:05:00 C:\WINDOWS\Tasks\wakup.job"
- C:\Documents and Settings\BigT\My Documents\wakup.m3u
"2008-02-15 20:30:00 C:\WINDOWS\Tasks\Winamp.job"
- C:\Documents and Settings\BigT\My Documents\wakup.m3u
"2008-02-15 15:00:01 C:\WINDOWS\Tasks\{112A314C-E771-4CBF-A1ED-76BA8336E3E3}_WAYNE-KC6A5TG24_BigT.job"
- C:\WINDOWS\system32\mobsync.exeI /Schedule=
"2008-02-15 22:00:00 C:\WINDOWS\Tasks\{AE370C4E-3944-442E-AEB9-4A649EC0E3BF}_WAYNE-KC6A5TG24_BigT.job"
- C:\WINDOWS\system32\mobsync.exeI /Schedule=
"2008-02-15 22:00:00 C:\WINDOWS\Tasks\{DA96ADAB-FD22-4A2D-BC84-6304983C114E}_WAYNE-KC6A5TG24_BigT.job"
- C:\WINDOWS\system32\mobsync.exeI /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 21:36:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2008-02-15 21:40:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-16 03:40:16
.
2008-02-16 00:06:54 --- E O F ---

Edited by Tombaylor, 16 February 2008 - 05:32 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:53 PM

Posted 16 February 2008 - 05:39 PM

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Further, you did not follow the required instructions for using ComboFix as its log indicates your machine does not have the Recovery Console installed.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users