Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Overclick.cn


  • This topic is locked This topic is locked
22 replies to this topic

#1 ReLiC71

ReLiC71

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 13 July 2009 - 10:58 AM

I've become 'infected' (?) with the Overclick.cn Google redirecter. I've scanned with Avira, Malwarebytes and Spybot and none of them are finding any problems. I'd be grateful for any help I can get.

Rob




DDS (Ver_09-06-26.01) - NTFSx86
Run by ReLiC at 16:52:56.42 on 13/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1001 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RayV\RayV\RayV.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\ReLiC\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RayV] c:\program files\rayv\rayv\RayV.exe /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-2 11608]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/29 17:56:08];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-2 55640]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-5-21 93184]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
R3 GMFilter Filter;GMFilter Filter;c:\windows\system32\drivers\GMFilter.sys [2009-5-18 26240]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 cpuz130;cpuz130;\??\c:\docume~1\relic\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\relic\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-5-18 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]

=============== Created Last 30 ================

2009-07-11 19:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\hitpointstudios
2009-07-11 19:19 <DIR> --d----- c:\program files\CLUE Accusations and Alibis
2009-07-11 11:00 <DIR> --d----- c:\docume~1\relic\applic~1\Enlightenus
2009-06-26 13:03 <DIR> --d----- c:\docume~1\relic\applic~1\RayV
2009-06-26 13:03 <DIR> --d----- c:\program files\RayV
2009-06-21 15:16 <DIR> --d----- c:\docume~1\relic\applic~1\Neverball
2009-06-21 14:57 <DIR> --d----- c:\program files\GPL
2009-06-21 14:56 <DIR> --d----- c:\program files\Algodoo Phun Edition
2009-06-19 13:05 <DIR> --d----- c:\docume~1\relic\applic~1\BrandX Games
2009-06-17 04:24 <DIR> --d----- c:\docume~1\relic\applic~1\SunRay Games

==================== Find3M ====================


============= FINISH: 16:54:25.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 14 July 2009 - 10:15 PM

Hello Rob,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

***********

Download Hijackthis by following the instructions here: http://www.download.com/Trend-Micro-Hijack....html?tag=mncol

Note that it is unnecessary to uninstall the old version because the new one will be copied to a different folder.

Let it install in the default folder C:\Program Files\Trend Micro\HijackThis

Open HijackThis 2.0.2
Press the button 'View Misc Tools Section'
Press the button 'open uninstall manager'
Press the button 'save list'
Save it to your desktop.
Press Save. Save it your desktop.
A notepad file will open.
If no notepad opens then it will be on your desktop (where you saved it)
Post the content here in your reply.
Close HijackThis.

***********


Please post the last Malwarebytes log so I can see what if found.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ReLiC71

ReLiC71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 15 July 2009 - 02:53 AM

Thanks for getting back to me so soon.

There are a couple of additional things that have been happening since I discovered the infection, and I assume they're connected. Just in case the info is of any use: Firstly, I'm unable to burn any CDs/DVDs (Nero tells me that I need the administrator to enable burning rights. I am the administrator on the machine, and can't see any newly created accounts), and secondly my Windows Firewall keeps disabling itself.

Logs to follow.

Rob

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AdobeAfterEffectsCS4Presets
AviraAntiVirPersonal-FreeAntivirus
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Out of date HijackThis installed!
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
HijackThis 1.99.1
Java™ 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Spybot SDHelper is disabled!
Spybot - Search & Destroy TeaTimer.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 3638 seconds.
`````````End of Log```````````




HJT Uninstall List

2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acrobat.com
Acrobat.com
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe After Effects CS4
Adobe After Effects CS4 Presets
Adobe After Effects CS4 Template Projects & Footage
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Asset Services CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles AE CS4
Adobe Color Video Profiles CS CS4
Adobe Contribute CS4
Adobe Creative Suite 4 Master Collection
Adobe Creative Suite 4 Master Collection
Adobe CS4 American English Speech Analysis Models
Adobe CS4 International English Speech Analysis Models
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe Encore CS4
Adobe Encore CS4 Codecs
Adobe Encore CS4 Library
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Illustrator CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Media Player
Adobe MotionPicture Color Files CS4
Adobe OnLocation CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Premiere Pro CS4 Third Party Content
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe SING CS4
Adobe Soundbooth CS4
Adobe Soundbooth CS4 Codecs
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe Version Cue CS4 Server
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Catalyst Control Center - Branding
CDisplay 1.8
Choice Guard
CLUE Accusations and Alibis
Connect
Creative Audio Control Panel
Critical Update for Windows Media Player 11 (KB959772)
Crysis®
Curse Client
CyberLink PowerDVD 9
CyberLink PowerDVD 9
EA Download Manager
Electricsheep Screensaver 2.7b16
Enlightenus 1.00
GameSpy Comrade
Haunted Hotel 2 - Believe the Lies 1.00
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Image Zone 4.0
HP Software Update
HP Unload DLL Patch
Inspector Parker
Java™ 6 Update 13
Junk Mail filter update
kuler
Malwarebytes' Anti-Malware
MCF - Madame Fate
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.5)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Mystic Diary - Lost Brother
Nero 8
neroxml
OpenAL
PDF Settings CS4
Photoshop Camera Raw
Photosmart 320,370,7400,8100,8400 Series
Pixel Bender Toolkit
PunkBuster Services
QuickTime
RAPTOR-ADJUST M3 V1
RayV
Real Crimes - The Unicorn Killer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
S.C.O.U.R.G.E.
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Segoe UI
ShellExView
Sony Picture Utility
SPORE™
SPORE™ Creepy & Cute Parts Pack
Spybot - Search & Destroy
Suite Shared Configuration CS4
The Sims™ 3
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Ventrilo Client
VLC media player 1.0.0
Winamp
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft



Malwarebytes' Anti-Malware 1.38
Database version: 2419
Windows 5.1.2600 Service Pack 3

13/07/2009 16:39:17
mbam-log-2009-07-13 (16-39-17).txt

Scan type: Full Scan (C:\|D:\|G:\|H:\|)
Objects scanned: 20620
Time elapsed: 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 15 July 2009 - 05:15 AM

Hi Rob,

What version of Malawarebyes are you running. It was recently updated to 1.39, so if you do not have that version, please update it. Make sure update the database also.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 13
    Java(6 Update 3
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.



We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AntiVir Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.

To disable SPYBOT TEATIMER:
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done and reboot your computer.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ReLiC71

ReLiC71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 15 July 2009 - 06:14 AM

Okay, so I followed all the instructions, and Overclick.cn appears to be gone, but Combofix didn't generate a log.

Basically, I disabled all the resident programs, ran Combofix, downloaded the recovery console during the processs, and then left it doing its thing. The machine rebooted once and went through 50+ stages, deleted a bunch of files and folders, then asked for a further reboot. When it rebooted, Combofix didn't start up again, and no log was generated, but things appear to be working again. My Google searches are fine now. Thank you SO much.

Is there anything further I should do?

#6 ReLiC71

ReLiC71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 15 July 2009 - 06:45 AM

I just did a Malwarebyte's scan to check with the updated version, and Avira jumped in and alerted me with this message: "A virus or unwanted program was found! C:\Combofix\n.pif. The file contains an executable program that is disguised by a harmless file extension. (HIDDENEXT/Crypted)"

I chose Ignore this time around, as I wasn't sure if it was a false positive from Combofix.

Also, the Combofix folder on my C drive has the My Computer icon, and when I open it to look inside the folder it takes me to My Computer.

Update: The previous was written while the Malwarebytes scan was in progress. Malwarebytes seems to be unable to complete the scan and generate a log. It scans the drives with no problems (finding 8 infections into the bargain), but when it reaches the Performing Extra and Heuristic Scan section, it stops responding. I've tried both full and quick scans, with identical results.

Edited by ReLiC71, 15 July 2009 - 08:14 AM.


#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 15 July 2009 - 10:33 AM

Hi Rob,

The combofix log will be at c:\ComboFix.txt

Please post it.

Avira jumped in and alerted me with this message: "A virus or unwanted program was found! C:\Combofix\n.pif. The file contains an executable program that is disguised by a harmless file extension. (HIDDENEXT/Crypted)"


Select ignore whn you get that message. Most of the antivirus programs see combofix as malware, which it is not.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 ReLiC71

ReLiC71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 15 July 2009 - 10:44 AM

The combofix log will be at c:\ComboFix.txt


I checked there first, and no such file. I then did a Search, and it's nowhere on the machine.

Edit:

I thought I'd try to locate the files using the Command Prompt, seeing as Windows wouldn't let me look inside the Combofix folder (see previous post) and I discovered a Combofix.txt file inside the folder. I'm not sure if this is the right file, but it's all I could find.

ComboFix 09-07-14.07 - ReLiC 15/07/2009 11:52:25.1.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1624 [GMT 1:00]
Running from: C:\Documents and Settings\ReLiC\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

That's all it contains.

Edited by ReLiC71, 15 July 2009 - 11:41 AM.


#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 15 July 2009 - 01:28 PM

Rob,

That is the corret header, but the rest of the log is missing. :thumbup2:


Did you previously run ComboFix on your own? :) It says you ran it four times.


Delete the version of ComboFix you have on your desktop.

then download a new ComboFix verion.

You need to disable your AntiVir Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.


To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.

To disable SPYBOT TEATIMER:
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done and reboot your computer.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Now run ComboFix. Post the log after it runs.

Edited by SifuMike, 15 July 2009 - 01:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 ReLiC71

ReLiC71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 15 July 2009 - 07:38 PM

Rob,

Did you previously run ComboFix on your own? :) It says you ran it four times.


No, I'd never even heard of it until you told me to download it, and this was a fresh XP install about a month ago. :thumbup2:

So I followed the instructions again. When it came to time to disable Teatimer, it wasn't showing in the list of items under System Startup in S&D. I was able to disable the Resident part though.

And again, the same thing happened. Combofix ran, went though 50 stages then said Rebooting PC and rebooted. There was no Preparing Log Report, and I didn't get the Almost Done message. The only things it deleted were a file and a folder, both called sysproc64, directly before rebooting. And I have an identical Combofix log to the one I posted the last time, up to the Avira line, then a line with just a full stop.

There also seems to be something odd when I run Combofix. The first time, the c:\Combofix folder was showing up as My Computer and functioning in the same way as the My Computer icon, and this time it shows as a normal folder, but the contents are Arranged by Type and Shown in Groups. That's not how any of my folders are configured, and I didn't change this one. I don't know if that's normal, but it seems worthy of mention, just in case it's not.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 15 July 2009 - 08:24 PM

Hi Rob,

Very strange! :thumbup2: Looks like something is preventing it from running to completion.
See if there is a ComboFix.txt log on your computer. If so, then post it.

Also, see if there is a file called C:\Qoobox\ComboFix-quarantined-files.txt. If so, then post it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 15 July 2009 - 08:50 PM

and Avira jumped in and alerted me with this message: "A virus or unwanted program was found! C:\Combofix\n.pif. The file contains an executable program that is disguised by a harmless file extension. (HIDDENEXT/Crypted)"


I think you may have killed one of ComboFixes files.
Did you quarantine the above file? Or delete it? or Ignore it?


In control center, select Manager section, quarantine section> highlight file , click on Windows XP icon at the on the top of the manager screen. A message will appear, "do you want to restore file", click "Yes".
The file will be restored to the original folder before it was move to quarantine.

then try ComboFix again.

Edited by SifuMike, 15 July 2009 - 09:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 ReLiC71

ReLiC71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 16 July 2009 - 02:32 AM

Hi Rob,

Very strange! :thumbup2: Looks like something is preventing it from running to completion.
See if there is a ComboFix.txt log on your computer. If so, then post it.

Also, see if there is a file called C:\Qoobox\ComboFix-quarantined-files.txt. If so, then post it.



Hi Mike

This Combofix.txt is from c:\Combofix

ComboFix 09-07-14.08 - ReLiC 16/07/2009 1:06:35.2.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1590 [GMT 1:00]
Running from: C:\Documents and Settings\ReLiC\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.




This one is from c:\Qoobox

ComboFix 09-07-14.07 - ReLiC 15/07/2009 11:52:25.1.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1624 [GMT 1:00]
Running from: C:\Documents and Settings\ReLiC\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.



I can't find any Combofix-quarantined-files.txt.

and Avira jumped in and alerted me with this message: "A virus or unwanted program was found! C:\Combofix\n.pif. The file contains an executable program that is disguised by a harmless file extension. (HIDDENEXT/Crypted)"


I think you may have killed one of ComboFixes files.
Did you quarantine the above file? Or delete it? or Ignore it?


In control center, select Manager section, quarantine section> highlight file , click on Windows XP icon at the on the top of the manager screen. A message will appear, "do you want to restore file", click "Yes".
The file will be restored to the original folder before it was move to quarantine.


I Ignored n.pif, as I thought it might be a false positive.

I can't find any occurrence of the file in Avira's quarantine section to restore it. The only quarantined files are 4 in c:\Qoobox, 3 instances of the same file/virus in c:\Windows and 10 in System Volume Information across three of my HDs. I've attached a screenshot of the listing.

Edit: When I run Combofix again (I can't at the moment, as I'm heading out to work) and it reboots, should I be leaving it to enter Windows normal mode, or selecting the Recovery Console during the reboot? I couldn't see anything about it on the instructions and I don't know if that's what's caused the problems with the log being generated. I've just let it boot into Normal mode both times so far.

Attached Files


Edited by ReLiC71, 16 July 2009 - 03:24 AM.


#14 ReLiC71

ReLiC71
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 16 July 2009 - 11:32 AM

Hi Mike

Progress!

I left Malwarebytes running when I left for work this morning, and it's successfully completed the scan this time and generated a log.

The bad news is that I closed the log without manually saving it, and now I can't find it. It found no malicious software though.

Also, Windows Malicious Software Removal Tool discovered and removed a backdoor, so it looks like I've at least found out how this stuff got onto my machine.

I've completely removed the old version of Combofix from the machine using the combofix /u command, so it should be ready to give it another attempt, if it's needed.

I didn't want to run Combofix till I was certain that it should be done again, but I figured it was safe to run a DDS so you can see how things stand at the moment.

Log to follow:

DDS (Ver_09-06-26.01) - NTFSx86
Run by ReLiC at 17:28:40.26 on 16/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1172 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RayV\RayV\RayV.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\ReLiC\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RayV] c:\program files\rayv\rayv\RayV.exe /background
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\relic\applic~1\mozilla\firefox\profiles\surk3hdz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://www.thingbox.com|http://www.wow-easy.net/|http://www.wow-easy.com/template.php?page=mainwhatiseasy|http://www.facebook.com/
FF - plugin: c:\program files\rayv\rayv\plugins\nprayvplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-2 11608]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/29 17:56:08];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-2 55640]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-5-21 93184]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
R3 GMFilter Filter;GMFilter Filter;c:\windows\system32\drivers\GMFilter.sys [2009-5-18 26240]
S2 zdbzg;zdbzg;\??\c:\windows\system32\drivers\pfvppibgjzja.sys --> c:\windows\system32\drivers\pfvppibgjzja.sys [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 cpuz130;cpuz130;\??\c:\docume~1\relic\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\relic\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-5-18 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]

=============== Created Last 30 ================

2009-07-16 03:01 127 a------- c:\windows\system32\MRT.INI
2009-07-16 01:05 389,120 a------- c:\windows\system32\CF609.exe
2009-07-15 11:43 <DIR> a-dshr-- C:\cmdcons
2009-07-15 11:41 389,120 a------- c:\windows\system32\CF6996.exe
2009-07-15 11:33 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-15 08:45 <DIR> --d----- c:\program files\Trend Micro
2009-07-14 00:23 <DIR> --d----- c:\docume~1\relic\applic~1\Ubisoft
2009-07-11 19:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\hitpointstudios
2009-07-11 19:19 <DIR> --d----- c:\program files\CLUE Accusations and Alibis
2009-07-11 11:00 <DIR> --d----- c:\docume~1\relic\applic~1\Enlightenus
2009-06-26 13:03 <DIR> --d----- c:\docume~1\relic\applic~1\RayV
2009-06-26 13:03 <DIR> --d----- c:\program files\RayV
2009-06-21 15:16 <DIR> --d----- c:\docume~1\relic\applic~1\Neverball
2009-06-21 14:57 <DIR> --d----- c:\program files\GPL
2009-06-21 14:56 <DIR> --d----- c:\program files\Algodoo Phun Edition
2009-06-19 13:05 <DIR> --d----- c:\docume~1\relic\applic~1\BrandX Games
2009-06-17 04:24 <DIR> --d----- c:\docume~1\relic\applic~1\SunRay Games
2009-06-17 03:35 <DIR> --d----- c:\windows\Dream Chronicles The Chosen Child
2009-06-17 03:32 <DIR> --d----- c:\windows\Real Crimes - The Unicorn Killer
2009-06-17 03:32 <DIR> --d----- c:\windows\Mystic Diary - Lost Brother

==================== Find3M ====================

2009-07-15 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-05 12:56 447,752 a------- c:\windows\system32\vp6vfw.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-29 17:54 505,128 a------- c:\windows\system32\msvcp71.dll
2009-05-29 17:54 353,576 a------- c:\windows\system32\msvcr71.dll
2009-05-29 17:54 29,480 a------- c:\windows\system32\msxml3a.dll
2009-05-27 18:48 39,424 a------- c:\windows\zipinst.exe
2009-05-22 02:40 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-22 02:40 22,328 a------- c:\docume~1\relic\applic~1\PnkBstrK.sys
2009-05-22 02:40 103,736 a------- c:\windows\system32\PnkBstrB.exe
2009-05-22 02:40 669,184 a------- c:\windows\system32\pbsvc.exe
2009-05-22 02:40 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-05-21 16:53 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-05-20 23:53 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-05-20 10:20 73,312 a------- c:\windows\system32\drivers\adfs.sys
2009-05-19 06:48 94,706 a------- c:\windows\HPHins03.dat
2009-05-18 15:59 16,512 a------- c:\windows\gdrv.sys
2009-05-18 15:57 315,392 a------- c:\windows\HideWin.exe
2009-05-18 15:50 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-05-18 15:45 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-18 13:17 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-11 12:35 630,784 a------- c:\windows\ElectricSheep_2_7b16.scr
2009-05-10 17:18 60,416 a------- c:\windows\zlib1.dll
2009-05-10 17:17 162,304 a------- c:\windows\libpng13.dll
2009-05-09 20:57 122,368 a------- c:\windows\lua5.1.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 08:04 9,250,816 a------- c:\windows\avcodec-52.dll
2009-04-28 08:04 733,184 a------- c:\windows\avformat-52.dll
2009-04-28 08:04 211,968 a------- c:\windows\swscale-0.dll
2009-04-28 08:04 70,144 a------- c:\windows\avutil-50.dll
2009-04-26 15:28 892,928 a------- c:\windows\iconv.dll
2009-04-26 15:28 626,688 a------- c:\windows\msvcr80.dll
2009-04-26 15:28 127,488 a------- c:\windows\jpeg62.dll

============= FINISH: 17:29:04.18 ===============

Attached Files



#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 16 July 2009 - 12:19 PM

Hi Rob,

The bad news is that I closed the log without manually saving it, and now I can't find it. It found no malicious software though.


The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

I can't find any Combofix-quarantined-files.txt.

That means it did not run. :thumbup2:


I've completely removed the old version of Combofix from the machine using the combofix /u command, so it should be ready to give it another attempt, if it's needed.


Let try running ComboFix a different way.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image


Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along so we can continue cleaning the system.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users