Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google searches getting redirected


  • This topic is locked This topic is locked
11 replies to this topic

#1 lomar79

lomar79

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 07 February 2009 - 05:28 AM

hi im going on google to do searches as usual to find myself realising that im opening new tabs which is not normal to see results and im not be directed to where i desire to go im being redirected to other search engines and ads pages and sites
this is weird i did some reseach found that i should use hijack this ..i did however i aint sure what to do with it i just dont wanna have to lose my windows and stuff as i dont have the start up boot disk can anyone help me get ride of this search engine bug or virus or whatever its called heres my high jack this report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:51 AM, on 2/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {417B818F-ED19-4CAD-99A5-F061D2B019C6} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {D8CADFE4-81E7-4424-887F-DC661B79EAFF} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [84a47e97] rundll32.exe "C:\WINDOWS\system32\fpuiblmp.dll",b
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: Web-Based Email Tools - http://email02.secureserver.net/Download.CAB
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O20 - AppInit_DLLs: voeuit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtUmJBQ - awtUmJBQ.dll (file missing)
O20 - Winlogon Notify: mlJAtuSJ - mlJAtuSJ.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5686 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:34 AM

Posted 07 February 2009 - 10:45 AM

Hello lomar79,

Posted Image

More than just one thing going on here, so it'll take a little while to fix.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background. So only run it once!

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 lomar79

lomar79
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 07 February 2009 - 11:07 PM

ok heres my report.txt

SmitFraudFix v2.393

Scan done at 22:52:53.87, Sat 02/07/2009
Run from C:\Documents and Settings\JJ\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\autorun.inf Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7693CFFE-4407-43DD-A8F7-D810322F8E10}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7693CFFE-4407-43DD-A8F7-D810322F8E10}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7693CFFE-4407-43DD-A8F7-D810322F8E10}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.39,85.255.112.40
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.39,85.255.112.40
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.112.39,85.255.112.40


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

and heres my new high jack this report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:35 PM, on 2/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {417B818F-ED19-4CAD-99A5-F061D2B019C6} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {D8CADFE4-81E7-4424-887F-DC661B79EAFF} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [84a47e97] rundll32.exe "C:\WINDOWS\system32\fpuiblmp.dll",b
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: Web-Based Email Tools - http://email02.secureserver.net/Download.CAB
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O20 - AppInit_DLLs: voeuit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtUmJBQ - awtUmJBQ.dll (file missing)
O20 - Winlogon Notify: mlJAtuSJ - mlJAtuSJ.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4878 bytes



ill be waiting to here from you thanks

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:34 AM

Posted 08 February 2009 - 09:32 AM

Hello,

You can delete SmitfraudFix. :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If Iolo gives you problems, then delete the download, if it gets that far, disable Iolo and try again. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 lomar79

lomar79
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 08 February 2009 - 09:48 PM

ok i did heres my combofix report

ComboFix 09-02-08.01 - JJ 2009-02-08 21:11:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.98 [GMT -5:00]
Running from: c:\documents and settings\JJ\Desktop\ComboFix.exe
AV: iolo AntiVirus® *On-access scanning disabled* (Updated)
FW: iolo Personal Firewall® *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-0-4-44-100015198-100009637-100025212-4537.com
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\gaopdxbvtvpqxv.sys
c:\windows\system32\drivers\gaopdxcdpqjwxr.sys
c:\windows\system32\drivers\gaopdxiewbmlil.sys
c:\windows\system32\drivers\gaopdxoqgmkosb.sys
c:\windows\system32\drivers\gaopdxwuypdvbf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\Efikmnnn.ini
c:\windows\system32\Efikmnnn.ini2
c:\windows\system32\fpuiblmp.dll
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxejwsfvpf.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\ktjsuhmd.dll
c:\windows\system32\mfc45.dll
c:\windows\system32\msblcd32.dll
c:\windows\system32\msssc.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\olwbeose.dll
c:\windows\system32\Process.exe
c:\windows\system32\qruvDcdd.ini
c:\windows\system32\qruvDcdd.ini2
c:\windows\system32\qxesaf.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wlbfrkbw.dll
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-07 05:04 . 2009-02-07 05:04 <DIR> d-------- c:\program files\Trend Micro
2009-02-06 03:21 . 2009-02-06 03:21 271 --a------ c:\windows\SysMech.INI
2009-02-06 02:49 . 2009-02-06 02:49 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2009-02-06 02:43 . 2009-02-06 02:43 432 --a------ c:\windows\system32\iolo.ini
2009-02-06 02:39 . 2009-02-06 02:39 <DIR> d-------- c:\program files\Common Files\Authentium
2009-02-06 02:39 . 2009-02-06 02:39 <DIR> d-------- c:\documents and settings\LocalService\Application Data\iolo
2009-02-06 02:39 . 2009-01-19 11:02 932,696 --a------ c:\windows\system32\Incinerator.dll
2009-02-06 02:39 . 2008-11-12 16:05 118,784 --a------ c:\windows\system32\iavlsp.dll
2009-02-06 02:39 . 2008-04-17 09:36 39,424 --a------ c:\windows\system32\xpacket.sys
2009-02-06 02:39 . 2008-04-17 09:45 9,341 --a------ c:\windows\system32\drivers\filedisk.sys
2009-02-06 02:38 . 2009-02-06 02:38 <DIR> d-------- c:\program files\iolo
2009-02-06 02:38 . 2008-09-24 09:32 28,672 --a------ c:\windows\system32\iolobtdfg.exe
2009-02-06 02:38 . 2008-11-18 11:51 8,192 --a------ c:\windows\system32\smrgdf.exe
2009-02-06 02:27 . 2009-02-06 02:53 <DIR> d-------- c:\documents and settings\JJ\Application Data\iolo
2009-02-06 02:27 . 2009-02-06 02:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\iolo
2009-02-04 00:23 . 2009-02-04 00:24 <DIR> d-------- c:\program files\RoboMail
2009-02-03 03:43 . 2009-02-03 03:43 216 --a------ c:\windows\EurekaLog.ini
2009-02-03 02:19 . 2009-02-03 02:19 <DIR> d-------- c:\program files\CCleaner
2009-02-01 23:07 . 2009-02-01 23:07 <DIR> d-------- c:\documents and settings\JJ\Application Data\Apple Computer
2009-02-01 22:48 . 2009-02-01 22:49 <DIR> d-------- c:\program files\QuickTime
2009-02-01 22:48 . 2009-02-01 22:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-01 22:47 . 2009-02-01 22:47 <DIR> d-------- c:\program files\Apple Software Update
2009-02-01 22:47 . 2009-02-01 22:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-01 21:01 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-01 21:01 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-01 21:01 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-02-01 21:01 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-02-01 05:59 . 2009-02-08 04:46 1,661,999 ---hs---- c:\windows\system32\pmlbiupf.ini
2009-01-31 03:36 . 2009-02-01 03:37 1,584,915 --ahs---- c:\windows\system32\nfsgbync.ini
2009-01-31 02:33 . 2009-01-31 02:33 <DIR> d-------- c:\documents and settings\JJ\Application Data\LiveSoftware
2009-01-30 04:38 . 2004-08-03 23:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-30 01:22 . 2009-02-04 00:43 <DIR> d-------- c:\program files\Free Mailing List Splitter
2009-01-29 18:51 . 2009-01-29 18:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-29 18:50 . 2009-01-29 18:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-29 18:50 . 2009-01-29 18:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-29 18:50 . 2009-01-29 18:50 <DIR> d-------- c:\documents and settings\JJ\Application Data\SUPERAntiSpyware.com
2009-01-29 02:03 . 2009-02-03 23:28 456 --a------ c:\windows\XMailer.INI
2009-01-29 01:57 . 2009-01-29 18:49 1,548,546 --ahs---- c:\windows\system32\lwfsfldd.ini
2009-01-28 23:32 . 2009-01-28 23:32 <DIR> d-------- c:\program files\RomeCasino
2009-01-28 23:32 . 2009-02-02 01:21 <DIR> d-------- c:\documents and settings\JJ\Application Data\RomeCasino
2009-01-28 23:32 . 2009-01-28 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\RomeCasino
2009-01-27 03:41 . 2009-01-27 03:41 303 --a------ c:\windows\ST6UNST.000
2009-01-26 05:04 . 2009-01-26 05:04 3 --a------ c:\windows\system32\krx280.dat
2009-01-26 05:02 . 2009-01-26 05:02 <DIR> d-------- c:\program files\Email Sender Deluxe
2009-01-25 01:56 . 2009-01-27 03:40 249,856 --------- c:\windows\Setup1.exe
2009-01-25 01:56 . 2009-01-27 03:40 73,216 --a------ c:\windows\ST6UNST.EXE
2009-01-24 22:41 . 2009-01-24 22:57 <DIR> d-------- C:\Casino
2009-01-24 04:31 . 2009-01-24 04:34 <DIR> d-------- c:\documents and settings\JJ\Application Data\MSNInstaller
2009-01-23 03:27 . 2009-01-23 03:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SendMails
2009-01-23 03:27 . 2001-07-24 16:23 139,264 --a------ c:\windows\system32\FODBCLib.dll
2009-01-23 03:20 . 2009-01-23 03:20 1,081,616 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-01-23 03:20 . 2009-01-23 03:20 662,288 --a------ c:\windows\system32\MSCOMCT2.OCX
2009-01-23 03:20 . 2009-01-23 03:20 212,240 --a------ c:\windows\system32\RICHTX32.OCX
2009-01-23 03:20 . 2009-01-23 03:20 152,848 --a------ c:\windows\system32\COMDLG32.OCX
2009-01-23 03:20 . 2009-01-23 03:20 124,688 --a------ c:\windows\system32\MSWINSCK.OCX
2009-01-22 21:53 . 2009-01-22 21:53 <DIR> d-------- c:\windows\Sun
2009-01-22 21:31 . 2009-01-22 21:31 <DIR> d-------- c:\program files\Java
2009-01-22 21:31 . 2009-01-22 21:31 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-22 21:31 . 2009-01-22 21:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-22 21:04 . 2009-01-22 21:04 <DIR> d-------- C:\MicroGaming
2009-01-22 21:04 . 2009-01-22 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microgaming
2009-01-22 21:04 . 2009-01-22 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\MGS
2009-01-21 00:15 . 2009-01-21 00:35 <DIR> d-------- c:\program files\TVUPlayer
2009-01-21 00:15 . 2009-01-21 00:15 <DIR> d-------- c:\documents and settings\JJ\LocalLow
2009-01-21 00:15 . 2009-01-21 00:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2009-01-21 00:12 . 2009-01-21 00:12 <DIR> d-------- c:\program files\SopCast
2009-01-20 22:21 . 2009-02-07 22:50 <DIR> d-------- c:\documents and settings\JJ
2009-01-20 22:18 . 2006-09-06 17:43 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-01-20 22:17 . 2009-01-20 22:17 <DIR> d--h----- c:\windows\$hf_mig$
2009-01-20 21:52 . 2009-02-06 00:51 <DIR> d-------- c:\program files\Full Tilt Poker
2009-01-20 21:04 . 2009-01-20 21:04 <DIR> d-------- c:\program files\Alwil Software
2009-01-20 21:04 . 2003-03-18 15:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-20 21:04 . 2003-03-18 14:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-01-20 21:04 . 2003-02-20 22:42 348,160 --a------ c:\windows\system32\MSVCR71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 02:52 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-20 23:24 --------- d-----w c:\program files\Intel
2009-01-20 23:20 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-20 23:20 --------- d-----w c:\program files\Analog Devices
2009-01-20 23:06 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iolo AntiVirus"="c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe" [2008-12-15 1106784]
"iolo Personal Firewall"="c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe" [2008-10-07 1316192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=voeuit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 16:48 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\Personal Firewall\\ioloFW.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\AntiVirus\\ioloAV.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\AntiVirus\\iAVEmailScanner.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25:TCP"= 25:TCP:gmail

R0 XPacket;iolo Personal Firewall Driver;c:\windows\system32\xpacket.sys [2009-02-06 39424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2009-02-06 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2009-02-06 712048]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
- - - - ORPHANS REMOVED - - - -

BHO-{417B818F-ED19-4CAD-99A5-F061D2B019C6} - (no file)
BHO-{D8CADFE4-81E7-4424-887F-DC661B79EAFF} - (no file)
ShellExecuteHooks-{D8CADFE4-81E7-4424-887F-DC661B79EAFF} - (no file)
Notify-awtUmJBQ - awtUmJBQ.dll
Notify-mlJAtuSJ - mlJAtuSJ.dll


.
------- Supplementary Scan -------
.
LSP: c:\windows\system32\iavlsp.dll
LSP: c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
DPF: Web-Based Email Tools - hxxp://email02.secureserver.net/Download.CAB
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 21:40:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\iavlsp.dll
c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-08 21:44:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-09 02:43:58

Pre-Run: 31,776,681,984 bytes free
Post-Run: 31,842,791,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

229



and here is my new high jack this report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:22 PM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: Web-Based Email Tools - http://email02.secureserver.net/Download.CAB
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O20 - AppInit_DLLs: voeuit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4507 bytes



ok ill be waiting to here from you
thank you again

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:34 AM

Posted 09 February 2009 - 07:42 AM

Hello,

How is it running please?

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 lomar79

lomar79
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 10 February 2009 - 12:48 AM

its running great it searches normall no more redirect and i got no malicious software according to the last tool you wanted me to downloads

here the report for

Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 2

2/10/2009 12:40:31 AM
mbam-log-2009-02-10 (00-40-31).txt

Scan type: Quick Scan
Objects scanned: 48165
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


it never promted me to reboot i guess is due that i have no bugs
and heres my new high jack this report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:21 AM, on 2/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MAGICT~1\MagicTrafficBot.EXE
C:\Documents and Settings\JJ\Start Menu\Programs\Startup\VistaMessage.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: VistaMessage.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: Web-Based Email Tools - http://email02.secureserver.net/Download.CAB
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O20 - AppInit_DLLs: voeuit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5043 bytes



i thank you i asking can i unstall the combo fix and other tools or should i keep them to be safe that this doesnt happen or to frequently verify if im ok i just dont wanna use them like there toys and unistall something im not supposed to

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:34 AM

Posted 10 February 2009 - 12:08 PM

Hello,

Glad it's running well. :thumbup2:

One more thing to take care of.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\pmlbiupf.ini
c:\windows\system32\nfsgbync.ini
c:\windows\system32\lwfsfldd.ini
c:\windows\system32\voeuit.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. If you like MBAM, then keep it. If you only like your SAS, then do uninstall MBAM. :step4: We'll delete ComboFix as soon as we're done with it. :) You can keep HijackThis just in case you need to have help in the future.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 lomar79

lomar79
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 11 February 2009 - 02:35 AM

ok heres the combo report
ComboFix 09-02-10.02 - JJ 2009-02-11 2:25:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.136 [GMT -5:00]
Running from: c:\documents and settings\JJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JJ\Desktop\CFScript.txt
AV: iolo AntiVirus® *On-access scanning disabled* (Updated)
FW: iolo Personal Firewall® *disabled*

FILE ::
c:\windows\system32\lwfsfldd.ini
c:\windows\system32\nfsgbync.ini
c:\windows\system32\pmlbiupf.ini
c:\windows\system32\voeuit.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lwfsfldd.ini
c:\windows\system32\Memman.vxd
c:\windows\system32\nfsgbync.ini
c:\windows\system32\pmlbiupf.ini
c:\windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-10 04:30 . 2009-02-10 04:30 <DIR> d-------- c:\program files\Email Subscriber Pro
2009-02-10 03:31 . 2009-02-10 03:31 <DIR> d-------- c:\program files\Squeeze Page Wizard
2009-02-10 03:30 . 2009-02-10 03:30 0 --a------ C:\_@9.tmp
2009-02-10 00:35 . 2009-02-10 00:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 00:35 . 2009-02-10 00:35 <DIR> d-------- c:\documents and settings\JJ\Application Data\Malwarebytes
2009-02-10 00:35 . 2009-02-10 00:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-10 00:35 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 00:35 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-09 04:30 . 2009-02-09 04:30 <DIR> d-------- c:\program files\SpecialOperationsSoftware
2009-02-09 04:14 . 2009-02-09 04:14 <DIR> d-------- c:\program files\Magic Traffic Bot
2009-02-09 04:14 . 1999-09-07 21:27 244,232 --a------ c:\windows\system32\Msflxgrd.ocx
2009-02-09 04:10 . 2009-02-09 04:10 <DIR> d-------- c:\program files\Forum Submitter Pro Full
2009-02-09 03:56 . 2009-02-10 01:57 <DIR> d-------- c:\program files\SEO Elite 4
2009-02-07 05:04 . 2009-02-07 05:04 <DIR> d-------- c:\program files\Trend Micro
2009-02-06 03:21 . 2009-02-06 03:21 271 --a------ c:\windows\SysMech.INI
2009-02-06 02:49 . 2009-02-06 02:49 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2009-02-06 02:43 . 2009-02-06 02:43 432 --a------ c:\windows\system32\iolo.ini
2009-02-06 02:39 . 2009-02-06 02:39 <DIR> d-------- c:\program files\Common Files\Authentium
2009-02-06 02:39 . 2009-02-06 02:39 <DIR> d-------- c:\documents and settings\LocalService\Application Data\iolo
2009-02-06 02:39 . 2009-01-19 11:02 932,696 --a------ c:\windows\system32\Incinerator.dll
2009-02-06 02:39 . 2008-11-12 16:05 118,784 --a------ c:\windows\system32\iavlsp.dll
2009-02-06 02:39 . 2008-04-17 09:36 39,424 --a------ c:\windows\system32\xpacket.sys
2009-02-06 02:39 . 2008-04-17 09:45 9,341 --a------ c:\windows\system32\drivers\filedisk.sys
2009-02-06 02:38 . 2009-02-06 02:38 <DIR> d-------- c:\program files\iolo
2009-02-06 02:38 . 2008-09-24 09:32 28,672 --a------ c:\windows\system32\iolobtdfg.exe
2009-02-06 02:38 . 2008-11-18 11:51 8,192 --a------ c:\windows\system32\smrgdf.exe
2009-02-06 02:27 . 2009-02-06 02:53 <DIR> d-------- c:\documents and settings\JJ\Application Data\iolo
2009-02-06 02:27 . 2009-02-06 02:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\iolo
2009-02-03 03:43 . 2009-02-03 03:43 216 --a------ c:\windows\EurekaLog.ini
2009-02-03 02:19 . 2009-02-03 02:19 <DIR> d-------- c:\program files\CCleaner
2009-02-01 23:07 . 2009-02-01 23:07 <DIR> d-------- c:\documents and settings\JJ\Application Data\Apple Computer
2009-02-01 22:48 . 2009-02-01 22:49 <DIR> d-------- c:\program files\QuickTime
2009-02-01 22:48 . 2009-02-01 22:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-01 22:47 . 2009-02-01 22:47 <DIR> d-------- c:\program files\Apple Software Update
2009-02-01 22:47 . 2009-02-01 22:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-01 21:01 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-01 21:01 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-01 21:01 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-02-01 21:01 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-31 02:33 . 2009-01-31 02:33 <DIR> d-------- c:\documents and settings\JJ\Application Data\LiveSoftware
2009-01-30 04:38 . 2004-08-03 23:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-30 01:22 . 2009-02-04 00:43 <DIR> d-------- c:\program files\Free Mailing List Splitter
2009-01-29 18:51 . 2009-01-29 18:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-29 18:50 . 2009-01-29 18:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-29 18:50 . 2009-01-29 18:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-29 18:50 . 2009-01-29 18:50 <DIR> d-------- c:\documents and settings\JJ\Application Data\SUPERAntiSpyware.com
2009-01-29 02:03 . 2009-02-03 23:28 456 --a------ c:\windows\XMailer.INI
2009-01-28 23:32 . 2009-02-10 00:41 <DIR> d-------- c:\documents and settings\JJ\Application Data\RomeCasino
2009-01-27 03:41 . 2009-01-27 03:41 303 --a------ c:\windows\ST6UNST.000
2009-01-26 05:04 . 2009-01-26 05:04 3 --a------ c:\windows\system32\krx280.dat
2009-01-26 05:02 . 2009-01-26 05:02 <DIR> d-------- c:\program files\Email Sender Deluxe
2009-01-25 01:56 . 2009-01-27 03:40 249,856 --------- c:\windows\Setup1.exe
2009-01-25 01:56 . 2009-01-27 03:40 73,216 --a------ c:\windows\ST6UNST.EXE
2009-01-24 22:41 . 2009-01-24 22:57 <DIR> d-------- C:\Casino
2009-01-24 04:31 . 2009-01-24 04:34 <DIR> d-------- c:\documents and settings\JJ\Application Data\MSNInstaller
2009-01-23 03:27 . 2009-01-23 03:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SendMails
2009-01-23 03:27 . 2001-07-24 16:23 139,264 --a------ c:\windows\system32\FODBCLib.dll
2009-01-23 03:20 . 2009-01-23 03:20 1,081,616 --------- c:\windows\system32\MSCOMCTL.OCX
2009-01-23 03:20 . 2009-01-23 03:20 662,288 --a------ c:\windows\system32\MSCOMCT2.OCX
2009-01-23 03:20 . 2009-01-23 03:20 212,240 --a------ c:\windows\system32\RICHTX32.OCX
2009-01-23 03:20 . 2009-01-23 03:20 152,848 --a------ c:\windows\system32\COMDLG32.OCX
2009-01-22 21:53 . 2009-01-22 21:53 <DIR> d-------- c:\windows\Sun
2009-01-22 21:31 . 2009-01-22 21:31 <DIR> d-------- c:\program files\Java
2009-01-22 21:31 . 2009-01-22 21:31 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-22 21:31 . 2009-01-22 21:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-22 21:04 . 2009-01-22 21:04 <DIR> d-------- C:\MicroGaming
2009-01-22 21:04 . 2009-01-22 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microgaming
2009-01-22 21:04 . 2009-01-22 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\MGS
2009-01-21 00:15 . 2009-01-21 00:35 <DIR> d-------- c:\program files\TVUPlayer
2009-01-21 00:15 . 2009-01-21 00:15 <DIR> d-------- c:\documents and settings\JJ\LocalLow
2009-01-21 00:15 . 2009-01-21 00:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2009-01-21 00:12 . 2009-01-21 00:12 <DIR> d-------- c:\program files\SopCast
2009-01-20 22:21 . 2009-02-10 03:30 <DIR> d-------- c:\documents and settings\JJ
2009-01-20 22:18 . 2006-09-06 17:43 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-01-20 22:17 . 2009-01-20 22:17 <DIR> d--h----- c:\windows\$hf_mig$
2009-01-20 21:52 . 2009-02-06 00:51 <DIR> d-------- c:\program files\Full Tilt Poker
2009-01-20 21:04 . 2009-01-20 21:04 <DIR> d-------- c:\program files\Alwil Software
2009-01-20 21:04 . 2003-03-18 15:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-20 21:04 . 2003-03-18 14:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-01-20 21:04 . 2003-02-20 22:42 348,160 --a------ c:\windows\system32\MSVCR71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 02:52 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-20 23:24 --------- d-----w c:\program files\Intel
2009-01-20 23:20 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-20 23:20 --------- d-----w c:\program files\Analog Devices
2009-01-20 23:06 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( SnapShot@2009-02-08_21.42.51.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 08:58:52 13,312 ----a-w c:\windows\system32\BASSMOD.dll
- 2004-08-04 04:56:42 66,560 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 19:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2004-08-04 04:56:42 66,560 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 19:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2004-08-04 04:56:48 430,592 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 19:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2004-08-04 04:56:58 111,104 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2004-08-04 04:56:48 1,134,592 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2004-08-04 04:56:48 112,640 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 19:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2004-08-04 04:56:48 36,864 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 19:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2004-08-04 04:56:48 120,320 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 19:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
- 2004-08-04 04:56:48 430,592 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 19:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2004-08-04 04:56:58 111,104 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2004-08-04 04:56:48 1,134,592 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2004-08-04 04:56:48 112,640 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 19:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2004-08-04 04:56:48 36,864 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2004-08-04 04:56:48 120,320 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 19:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
+ 2009-02-11 07:18:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_80.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iolo Personal Firewall"="c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe" [2008-10-07 1316192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=voeuit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 16:48 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\Personal Firewall\\ioloFW.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\AntiVirus\\ioloAV.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\AntiVirus\\iAVEmailScanner.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25:TCP"= 25:TCP:gmail

R0 XPacket;iolo Personal Firewall Driver;c:\windows\system32\xpacket.sys [2009-02-06 39424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2009-02-06 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2009-02-06 712048]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}]
c:\windows\mshyet.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
LSP: c:\windows\system32\iavlsp.dll
LSP: c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
DPF: Web-Based Email Tools - hxxp://email02.secureserver.net/Download.CAB
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 02:29:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\iavlsp.dll
c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
.
Completion time: 2009-02-11 2:32:07
ComboFix-quarantined-files.txt 2009-02-11 07:32:01
ComboFix2.txt 2009-02-09 02:44:05

Pre-Run: 32,896,327,680 bytes free
Post-Run: 32,942,231,552 bytes free

222



and here the high jack this report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:56 AM, on 2/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: Web-Based Email Tools - http://email02.secureserver.net/Download.CAB
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O20 - AppInit_DLLs: voeuit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4558 bytes



thanks ill be waiting to here from you

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:34 AM

Posted 11 February 2009 - 06:03 PM

Hello,

Please stop installing stuff until we're done. That isn't helping at all. :thumbup2:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::

File::
c:\windows\mshyet.exe
C:\_@9.tmp

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Do you use the poker programs I see? If not, uninstall them. I'm also seeing pieces of several different AntiVirus programs. If you use Iolo, then be sure to either disable or uninstall all the others.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 lomar79

lomar79
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 12 February 2009 - 01:33 AM

why you ask about the poker site?

im lookin for a anti virus just trying iolo but might go back to avast not sure really

heres my new combofix

ComboFix 09-02-11.02 - JJ 2009-02-12 1:21:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.78 [GMT -5:00]
Running from: c:\documents and settings\JJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JJ\Desktop\CFScript.txt
AV: iolo AntiVirus® *On-access scanning disabled* (Updated)
FW: iolo Personal Firewall® *enabled*
* Created a new restore point

FILE ::
C:\_@9.tmp
c:\windows\mshyet.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_@9.tmp

.
((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-10 04:30 . 2009-02-10 04:30 <DIR> d-------- c:\program files\Email Subscriber Pro
2009-02-10 03:31 . 2009-02-10 03:31 <DIR> d-------- c:\program files\Squeeze Page Wizard
2009-02-10 00:35 . 2009-02-10 00:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 00:35 . 2009-02-10 00:35 <DIR> d-------- c:\documents and settings\JJ\Application Data\Malwarebytes
2009-02-10 00:35 . 2009-02-10 00:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-10 00:35 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 00:35 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-09 04:30 . 2009-02-09 04:30 <DIR> d-------- c:\program files\SpecialOperationsSoftware
2009-02-09 04:14 . 2009-02-09 04:14 <DIR> d-------- c:\program files\Magic Traffic Bot
2009-02-09 04:14 . 1999-09-07 21:27 244,232 --a------ c:\windows\system32\Msflxgrd.ocx
2009-02-09 04:10 . 2009-02-09 04:10 <DIR> d-------- c:\program files\Forum Submitter Pro Full
2009-02-09 03:56 . 2009-02-10 01:57 <DIR> d-------- c:\program files\SEO Elite 4
2009-02-07 05:04 . 2009-02-07 05:04 <DIR> d-------- c:\program files\Trend Micro
2009-02-06 03:21 . 2009-02-06 03:21 271 --a------ c:\windows\SysMech.INI
2009-02-06 02:49 . 2009-02-06 02:49 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2009-02-06 02:43 . 2009-02-06 02:43 432 --a------ c:\windows\system32\iolo.ini
2009-02-06 02:39 . 2009-02-06 02:39 <DIR> d-------- c:\program files\Common Files\Authentium
2009-02-06 02:39 . 2009-02-06 02:39 <DIR> d-------- c:\documents and settings\LocalService\Application Data\iolo
2009-02-06 02:39 . 2009-01-19 11:02 932,696 --a------ c:\windows\system32\Incinerator.dll
2009-02-06 02:39 . 2008-11-12 16:05 118,784 --a------ c:\windows\system32\iavlsp.dll
2009-02-06 02:39 . 2008-04-17 09:36 39,424 --a------ c:\windows\system32\xpacket.sys
2009-02-06 02:39 . 2008-04-17 09:45 9,341 --a------ c:\windows\system32\drivers\filedisk.sys
2009-02-06 02:38 . 2009-02-06 02:38 <DIR> d-------- c:\program files\iolo
2009-02-06 02:38 . 2008-09-24 09:32 28,672 --a------ c:\windows\system32\iolobtdfg.exe
2009-02-06 02:38 . 2008-11-18 11:51 8,192 --a------ c:\windows\system32\smrgdf.exe
2009-02-06 02:27 . 2009-02-06 02:53 <DIR> d-------- c:\documents and settings\JJ\Application Data\iolo
2009-02-06 02:27 . 2009-02-06 02:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\iolo
2009-02-03 03:43 . 2009-02-03 03:43 216 --a------ c:\windows\EurekaLog.ini
2009-02-03 02:19 . 2009-02-03 02:19 <DIR> d-------- c:\program files\CCleaner
2009-02-01 23:07 . 2009-02-01 23:07 <DIR> d-------- c:\documents and settings\JJ\Application Data\Apple Computer
2009-02-01 22:48 . 2009-02-01 22:49 <DIR> d-------- c:\program files\QuickTime
2009-02-01 22:48 . 2009-02-01 22:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-01 22:47 . 2009-02-01 22:47 <DIR> d-------- c:\program files\Apple Software Update
2009-02-01 22:47 . 2009-02-01 22:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-01 21:01 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-01 21:01 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-01 21:01 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-02-01 21:01 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-31 02:33 . 2009-01-31 02:33 <DIR> d-------- c:\documents and settings\JJ\Application Data\LiveSoftware
2009-01-30 04:38 . 2004-08-03 23:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-30 01:22 . 2009-02-04 00:43 <DIR> d-------- c:\program files\Free Mailing List Splitter
2009-01-29 18:51 . 2009-01-29 18:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-29 18:50 . 2009-01-29 18:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-29 18:50 . 2009-01-29 18:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-29 18:50 . 2009-01-29 18:50 <DIR> d-------- c:\documents and settings\JJ\Application Data\SUPERAntiSpyware.com
2009-01-29 02:03 . 2009-02-03 23:28 456 --a------ c:\windows\XMailer.INI
2009-01-28 23:32 . 2009-02-10 00:41 <DIR> d-------- c:\documents and settings\JJ\Application Data\RomeCasino
2009-01-27 03:41 . 2009-01-27 03:41 303 --a------ c:\windows\ST6UNST.000
2009-01-26 05:04 . 2009-01-26 05:04 3 --a------ c:\windows\system32\krx280.dat
2009-01-26 05:02 . 2009-01-26 05:02 <DIR> d-------- c:\program files\Email Sender Deluxe
2009-01-25 01:56 . 2009-01-27 03:40 249,856 --------- c:\windows\Setup1.exe
2009-01-25 01:56 . 2009-01-27 03:40 73,216 --a------ c:\windows\ST6UNST.EXE
2009-01-24 22:41 . 2009-01-24 22:57 <DIR> d-------- C:\Casino
2009-01-24 04:31 . 2009-01-24 04:34 <DIR> d-------- c:\documents and settings\JJ\Application Data\MSNInstaller
2009-01-23 03:27 . 2009-01-23 03:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SendMails
2009-01-23 03:27 . 2001-07-24 16:23 139,264 --a------ c:\windows\system32\FODBCLib.dll
2009-01-23 03:20 . 2009-01-23 03:20 1,081,616 --------- c:\windows\system32\MSCOMCTL.OCX
2009-01-23 03:20 . 2009-01-23 03:20 662,288 --a------ c:\windows\system32\MSCOMCT2.OCX
2009-01-23 03:20 . 2009-01-23 03:20 212,240 --a------ c:\windows\system32\RICHTX32.OCX
2009-01-23 03:20 . 2009-01-23 03:20 152,848 --a------ c:\windows\system32\COMDLG32.OCX
2009-01-22 21:53 . 2009-01-22 21:53 <DIR> d-------- c:\windows\Sun
2009-01-22 21:31 . 2009-01-22 21:31 <DIR> d-------- c:\program files\Java
2009-01-22 21:31 . 2009-01-22 21:31 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-22 21:31 . 2009-01-22 21:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-22 21:04 . 2009-01-22 21:04 <DIR> d-------- C:\MicroGaming
2009-01-22 21:04 . 2009-01-22 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microgaming
2009-01-22 21:04 . 2009-01-22 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\MGS
2009-01-21 00:15 . 2009-01-21 00:35 <DIR> d-------- c:\program files\TVUPlayer
2009-01-21 00:15 . 2009-01-21 00:15 <DIR> d-------- c:\documents and settings\JJ\LocalLow
2009-01-21 00:15 . 2009-01-21 00:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2009-01-21 00:12 . 2009-01-21 00:12 <DIR> d-------- c:\program files\SopCast
2009-01-20 22:21 . 2009-02-10 03:30 <DIR> d-------- c:\documents and settings\JJ
2009-01-20 22:18 . 2006-09-06 17:43 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-01-20 22:17 . 2009-01-20 22:17 <DIR> d--h----- c:\windows\$hf_mig$
2009-01-20 21:52 . 2009-02-06 00:51 <DIR> d-------- c:\program files\Full Tilt Poker
2009-01-20 21:04 . 2009-01-20 21:04 <DIR> d-------- c:\program files\Alwil Software
2009-01-20 21:04 . 2003-03-18 15:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-20 21:04 . 2003-03-18 14:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-01-20 21:04 . 2003-02-20 22:42 348,160 --a------ c:\windows\system32\MSVCR71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 02:52 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-20 23:24 --------- d-----w c:\program files\Intel
2009-01-20 23:20 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-20 23:20 --------- d-----w c:\program files\Analog Devices
2009-01-20 23:06 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( SnapShot_2009-02-11_ 2.30.47.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-12 06:25:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_234.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iolo Personal Firewall"="c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe" [2008-10-07 1316192]

c:\documents and settings\JJ\Start Menu\Programs\Startup\
VistaMessage.exe [2007-12-19 585728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 16:48 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\Personal Firewall\\ioloFW.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\AntiVirus\\ioloAV.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\AntiVirus\\iAVEmailScanner.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25:TCP"= 25:TCP:gmail

R0 XPacket;iolo Personal Firewall Driver;c:\windows\system32\xpacket.sys [2009-02-06 39424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2009-02-06 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2009-02-06 712048]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
LSP: c:\windows\system32\iavlsp.dll
LSP: c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
DPF: Web-Based Email Tools - hxxp://email02.secureserver.net/Download.CAB
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 01:25:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\iavlsp.dll
c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\documents and settings\JJ\Start Menu\Programs\Startup\VistaMessage.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-12 1:28:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 06:28:55
ComboFix2.txt 2009-02-11 07:32:09
ComboFix3.txt 2009-02-09 02:44:05

Pre-Run: 32,842,182,656 bytes free
Post-Run: 32,915,124,224 bytes free

192


and heres my new high jack this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:33 AM, on 2/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Documents and Settings\JJ\Start Menu\Programs\Startup\VistaMessage.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: VistaMessage.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: Web-Based Email Tools - http://email02.secureserver.net/Download.CAB
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4600 bytes

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:34 AM

Posted 12 February 2009 - 12:55 PM

Okie dokie....here's the deal. I'm not stupid, and I know what you're doing. I asked you not to install anything else, but you have anyway, and it contained a baddie. VistaMessage.exe comes from programs made by Bishop Anders, a black hatter SEO. I'm not here to clean up all the garbage from all of your downloads.....and especially not for free. Do not post back here again. :thumbup2:

This topic is closed.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users