The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Redirect Virus-please help

Posted 12/11/2008 3:31 PM
#69756
User avatar

oxden Member

Date Joined Nov 2016
Total Posts: 8
[table height="100%" cellSpacing=0 cellPadding=0 width="100%" border=0]
[tr ][td class=msgThread1 vAlign=top height="100%"]Hi Touch,




Hi I am repeating my problem, my laptop has a problem with google/yahoo, all search results are directed to another page. I have followed your advices through this forum, I have already install cc cleaner, and malwarebytes, unfortunately after I installed malwarebytes, i can not open this sofware and it didnt launch when the installation is finished. Is the virus block this software? because this problem also happened when I tried to launch spybot.



I really appreciate for your help and your kind attention.



Best Regards



PS: Below is my log file from Hijackthis



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23:36, on 11/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RTPSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\BisonCam\BisonHK.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url=https://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*https://www.yahoo.com/ext/search/search.html]https://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*https://www.yahoo.com/ext/search/search.html[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url=https://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*https://www.yahoo.com]https://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*https://www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.virginmedia.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url=https://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*https://www.yahoo.com]https://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*https://www.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url=https://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*https://www.yahoo.com/ext/search/search.html]https://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*https://www.yahoo.com/ext/search/search.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url=https://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*https://www.yahoo.com]https://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*https://www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url=https://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*https://www.yahoo.com]https://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*https://www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 www.a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BisonHK] C:\WINDOWS\BisonCam\BisonHK.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PCMAV-RTP] "C:\DOCUME~1\axioo\LOCALS~1\Temp\Rar$EX17.750\PCMAV 1.9-pcmav.server.or.id\PCMAV-RTP.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 12587 bytes

[/td][/tr][/table]
Posted 12/11/2008 3:58 PM
#69758
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello again :smile:




Do you know these adr. in your hostsfile ?

O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/12/2008 3:15 AM
#69773
User avatar

oxden Member

Date Joined Nov 2016
Total Posts: 8
I do not have an idea about that hostfile, I thought that i never opened that address, is that the problem?
Posted 12/12/2008 3:18 AM
#69774
User avatar

oxden Member

Date Joined Nov 2016
Total Posts: 8
Wait for a minutes, last week my laptop infected by antivirus2009, and I tried to remove it manually by deleting some folder and its registry, I found manual instruction in www how to removed the virus. Is there any connection with this virus?
Posted 12/12/2008 6:10 AM
#69779
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Probably ;-)




Download HostsExpert: [color=#0000ff>https://www.majorgeeks.com/Hoster_d4626.html[/b]
Choose one of the servers at Majorgeeks....save the file on your desktop





  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager

  • Run HostsXpert 4.2 - Hosts File Manager from its new home

  • Click on "File Handling".

  • Click on "Restore MS Hosts File".

  • Click OK on the Confirmation box.

  • Click on "Make Read Only?"

  • Click the X to exit the program.

  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.



Reboot.




Download: CCleaner
https://www.majorgeeks.com/download4191.html[/color][/url]
[color=#0000ff>https://www.ccleaner.com/[/url]

Once installed, run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data


Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok


Then click Run Cleaner (bottom right) then Exit

Reboot



Please download Malwarebytes' Anti-Malware:

https://www.spywarefri.dk/downloads1/mbam-setup.exe[/color]



Or here:

https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968



to your desktop.



Double-click mbam-setup.exe and follow the prompts to install the program.



At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch




Malwarebytes' Anti-Malware, then click Finish.



If an update is found, it will download and install the latest version.



Once the program has loaded, select Perform full scan, then click Scan.



When the scan is complete, click OK, then Show Results to view the results.



Be sure that everything is checked, and click Remove Selected.



When completed, a log will open in Notepad. Please save it to a convenient location.





Post hijackthis log along with Malwarebytes' Anti-Malware log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/12/2008 8:21 PM
#69822
User avatar

oxden Member

Date Joined Nov 2016
Total Posts: 8
hi Touch,

I have run majorgeek, reboot, then ccleaner, reboot, and installed the malwarebytes, but the malwarebyte didn't launch after installation was finished. Also when I try to double click its icon in my desktop, what happen?
Posted 12/13/2008 12:20 AM
#69829
User avatar

boz2182 Member

Date Joined Nov 2016
Total Posts: 1
I had this same type virus and following your steps it seems to be completely resolved! Thank you touch for saving my sanity!
Posted 12/13/2008 4:41 AM
#69838
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
oxden - try it again, slightly different ->



Download malwarebyte

https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968



Save the file as setup.exe


Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.
Go into the Malware folder in through Program Files
Rename the mbam.exe or what not file to mab.exe and run it.
Do a full computer scan
Check all and remove/fix/delete them.


Restart your computer and post the log.



If you can´t do it from normal mode, try from safe mode with network





Glad to hear that boz2182 :smile:


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/14/2008 4:01 PM
#69921
User avatar

oxden Member

Date Joined Nov 2016
Total Posts: 8
Hi Touch,

I have already done all your advice, the malwarebytes is running with your method..its great...my google is normal again..i can googling without redirected to another place...This is the log from malwarebyte, after this what should I do next..is it done?

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

14/12/2008 15:48:56
mbam-log-2008-12-14 (15-48-56).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 101286
Time elapsed: 36 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 14
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fc8a493f-d236-4653-9a03-2bf4fd94f643}

(Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

(Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\extra antivir (Rogue.Extraantivir) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted

successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> Quarantined and

deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) ->

Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) ->

Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce

(Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) ->

Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce

(Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers

(Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser

(Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) ->

Quarantined and deleted successfully.
C:\Documents and Settings\axioo\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) ->

Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Rapid Antivirus\Uninstall.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\quarantine\TDSSa478.tmp.Vir (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoexh.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSpaxt.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSSa478.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSfxmp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrhym.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Delete on reboot.
Posted 12/15/2008 5:27 AM
#69945
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Sounds good :smile:




However, I´ll suggest you post a combo log ->




Please download Combofix:

https://download.bleepingcomputer.com/sUBs/ComboFix.exe





And save to the desktop.


Close all other browser windows.









Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".





Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.



Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.


When finished, it will produce a logfile located at C:\combofix.txt.




Post the contents of that log in your next reply


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/15/2008 1:11 PM
#69954
User avatar

oxden Member

Date Joined Nov 2016
Total Posts: 8
Hi Touch,

I have run the combofix, this is the log : (I forgot that I saved it to E and run it from there)

ComboFix 08-12-14.04 - axioo 2008-12-15 12:59:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.156 [GMT 0:00]
Running from: e:\master program\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dbfb.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\wanpacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_TDSSSERV.SYS
-------\Service_NPF
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2100-02-16 15:09 . 2001-02-16 14:37 62 --a------ c:\windows\system32\LXBOUSCI.INI
2008-12-14 15:10 . 2008-12-14 15:10 d-------- c:\documents and settings\axioo\Application Data\Malwarebytes
2008-12-14 10:33 . 2008-12-14 14:26 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 10:33 . 2008-12-14 10:33 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-14 10:33 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-14 10:33 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 16:17 . 2008-12-12 16:19 d-------- C:\HostsXpert
2008-12-11 15:22 . 2008-12-11 15:22 d-------- c:\program files\Trend Micro
2008-12-11 03:00 . 2008-12-11 03:04 1,393 --a------ c:\windows\imsins.BAK
2008-12-10 21:40 . 2008-12-10 21:40 153,600 --------- c:\windows\system32\RTPSvc.exe
2008-12-10 21:40 . 2008-12-10 21:40 118,272 --a------ c:\windows\system32\RTPScan.dll
2008-12-10 19:04 . 2008-12-12 19:56 d-------- c:\program files\shahia1
2008-12-10 15:07 . 2008-12-10 15:07 d-------- c:\program files\CCleaner
2008-12-10 13:31 . 2008-12-10 13:31 d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-10 13:31 . 2008-12-10 13:31 d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-10 13:30 . 2008-12-14 15:59 d-------- c:\program files\McAfee
2008-12-10 13:30 . 2008-12-10 13:30 d-------- c:\program files\Common Files\McAfee
2008-12-10 13:30 . 2008-12-10 13:30 d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-10 12:47 . 2008-12-14 23:34 d-------- c:\program files\Spybot - Search & Destroy
2008-12-10 12:47 . 2008-12-14 23:36 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 10:35 . 2008-12-07 10:35 d-------- c:\program files\Lavasoft
2008-12-07 10:35 . 2008-12-10 14:08 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 07:22 . 2008-12-06 07:30 d-------- c:\documents and settings\axioo\Application Data\Affinegy
2008-12-06 07:19 . 2008-12-06 07:19 d-------- c:\program files\WinPcap
2008-12-06 07:19 . 2008-05-26 16:09 27,072 --a------ c:\windows\system32\drivers\AFGSp50.sys
2008-12-06 07:18 . 2008-12-06 07:19 d-------- c:\program files\Virgin Broadband Wireless
2008-12-06 07:18 . 2008-12-06 07:19 d-------- c:\documents and settings\All Users\Application Data\Affinegy
2008-12-05 23:55 . 2008-12-06 00:01 d-------- c:\program files\Eusing Free Registry Cleaner
2008-12-05 22:22 . 2008-12-05 22:22 0 --a------ C:\LOG1B.tmp
2008-12-05 21:02 . 2008-12-05 21:02 d--h----- C:\$AVG8.VAULT$
2008-12-05 20:55 . 2008-12-05 23:07 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-05 20:48 . 2008-12-05 20:48 0 --a------ C:\LOG12.tmp
2008-12-05 19:46 . 2008-12-05 19:46 0 --a------ C:\LOG29.tmp
2008-12-05 19:29 . 2008-12-05 19:53 d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-12-05 19:27 . 2008-12-05 19:27 0 --a------ C:\LOG28.tmp
2008-11-26 11:02 . 2008-11-26 11:02 0 --a------ C:\LOG34.tmp
2008-11-26 09:41 . 2008-11-26 09:41 d-------- c:\documents and settings\axioo\Application Data\s_6002_fHx8fHx8fDEyNDAyOTkwMjN8_
2008-11-26 09:19 . 2008-12-12 20:59 d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-25 22:10 . 2008-12-15 13:05 20 --a------ c:\windows\ACMonitor_X84-X85.ini
2008-11-25 22:09 . 2008-11-25 22:47 d-------- c:\program files\LexmarkX84-X85
2008-11-25 22:09 . 2002-09-18 18:58 33,792 --------- c:\windows\system32\LXBOUSCI.EXE
2008-11-25 22:09 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-25 22:09 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-25 22:09 . 2002-09-19 15:06 4,672 --a------ c:\windows\system32\LXBOUSCI.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 10:18 --------- d-----w c:\program files\Google
2008-12-05 22:22 --------- d-----w c:\documents and settings\axioo\Application Data\U3
2008-12-04 15:42 6,656 ----a-w c:\windows\system32\drivers\aec.sys
2008-11-21 14:52 --------- d-----w c:\documents and settings\axioo\Application Data\Skype
2008-11-21 13:11 --------- d-----w c:\documents and settings\axioo\Application Data\skypePM
2008-11-08 23:21 --------- d-----w c:\documents and settings\axioo\Application Data\Yahoo!
2008-11-08 23:21 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-08 23:14 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-29 18:05 --------- d-----w c:\documents and settings\axioo\Application Data\Camfrog
2008-10-25 14:33 --------- d-----w c:\program files\Way2Cool4School
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ------w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-28 09:32 120 ----a-w c:\program files\forevermopt.INI
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-07-19 02:24 245 ----a-w c:\program files\mafosav.INI
2008-06-18 07:11 75,655 ----a-w c:\program files\UnMario.exe
2004-06-12 20:23 1,208,826 ----a-w c:\program files\Info MF.exe
2004-06-06 23:37 13,762,037 ----a-w c:\program files\Mario Forever.exe
2004-05-20 13:02 40,792 ----a-w c:\program files\ktkm4.dll
2004-05-16 22:00 2,645,872 ----a-w c:\program files\ktkm39.dll
2004-01-01 22:12 13,506 ----a-w c:\program files\icoinst.bmp
2004-01-01 21:57 132,342 ----a-w c:\program files\leftinst.bmp
2003-10-26 18:58 524,537 ----a-w c:\program files\ktkm18.dll
2003-10-03 00:04 307,617 ----a-w c:\program files\ktkm15.dll
2002-09-15 13:59 47,104 ----a-w c:\program files\rubberovine.dll
2002-03-03 13:34 538,410 ----a-w c:\program files\ktkm20.dll
2002-02-25 18:45 66,908 ----a-w c:\program files\ktkm17.dll
2002-02-25 18:44 209,936 ----a-w c:\program files\ktkm14.dll
2002-02-25 18:43 99,867 ----a-w c:\program files\ktkm13.dll
2002-02-25 18:42 62,631 ----a-w c:\program files\ktkm11.dll
2002-02-25 18:42 116,841 ----a-w c:\program files\ktkm26.dll
2002-02-25 18:38 81,427 ----a-w c:\program files\ktkm31.dll
2002-02-25 18:37 326,441 ----a-w c:\program files\ktkm32.dll
2002-02-25 18:35 92,400 ----a-w c:\program files\ktkm7.dll
2002-02-25 18:33 268,621 ----a-w c:\program files\ktkm33.dll
2002-02-25 18:31 197,408 ----a-w c:\program files\ktkm29.dll
2002-02-25 18:02 70,888 ----a-w c:\program files\ktkm19.dll
2002-02-25 17:57 58,192 ----a-w c:\program files\ktkm6.dll
2002-02-25 17:55 96,166 ----a-w c:\program files\ktkm1.dll
2002-02-25 17:49 55,186 ----a-w c:\program files\ktkm5.dll
2002-02-25 17:44 22,657 ----a-w c:\program files\ktkm3.dll
2002-02-25 17:37 20,926 ----a-w c:\program files\ktkm36.dll
2002-02-25 17:36 58,015 ----a-w c:\program files\ktkm10.dll
2002-02-25 17:32 20,974 ----a-w c:\program files\ktkm2.dll
2002-02-25 17:32 169,789 ----a-w c:\program files\ktkm38.dll
2002-02-25 17:31 128,042 ----a-w c:\program files\ktkm30.dll
2001-11-27 13:47 73,728 ----a-w c:\program files\CCTrans.dll
2001-11-27 13:46 285,696 ----a-w c:\program files\cncs232.dll
2000-11-05 16:56 81,920 ----a-w c:\program files\STrans.dll
2000-06-20 22:04 113,152 ----a-w c:\program files\SFTrans.dll
2000-02-28 16:26 92,660 ----a-w c:\program files\bass.dll
1999-03-25 09:55 56,992 ----a-w c:\program files\ktkm24.dll
1998-08-11 14:08 64,070 ----a-w c:\program files\ktkm21.dll
1998-07-01 10:29 30,166 ----a-w c:\program files\ktkm9.dll
1998-06-29 03:16 10,240 ----a-w c:\program files\ktkm34.dll
1998-04-22 23:27 23,364 ----a-w c:\program files\ktkm8.dll
1997-10-09 18:27 98,442 ----a-w c:\program files\ktkm35.dll
1997-05-09 13:14 370,880 ----a-w c:\program files\ktkm22.dll
1997-03-18 08:13 803,601 ----a-w c:\program files\ktkm16.dll
1997-01-18 13:45 524,164 ----a-w c:\program files\ktkm12.dll
1996-04-02 13:02 65,092 ----a-w c:\program files\ktkm27.dll
1996-04-02 13:02 49,094 ----a-w c:\program files\ktkm25.dll
1996-04-02 13:01 126,720 ----a-w c:\program files\ktkm23.dll
1994-10-06 10:14 82,542 ----a-w c:\program files\ktkm37.dll
1994-04-01 21:26 100,786 ----a-w c:\program files\ktkm28.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-04-22 1196032]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-11-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-11-01 126976]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2006-05-15 73728]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-09 135251]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-22 282624]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"Lexmark X84-X85 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2003-01-08 40960]
"Lexmark X84-X85 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-18 36864]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-25 c:\windows\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-02-22 2938184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonTrayIcon]
--a------ 2005-09-05 09:51 45056 c:\windows\BisonCam\BisonTrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
--a------ 2006-04-14 04:56 569413 c:\program files\Intel\Wireless\Bin\EOUWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2006-04-14 04:52 602182 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2006-04-14 04:51 667718 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 09:24 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KTPWare]
-ra------ 2005-04-04 03:51 253952 c:\program files\Elantech\Ktp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 04:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-05-22 14:07 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 13:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2001-12-26 07:12 472576 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
-ra------ 2006-01-26 07:01 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-12-10 206096]
R2 PCMAVRTPService;PCMAV RealTime Protector Service;c:\windows\system32\RTPSvc.exe [2008-12-10 153600]
R3 Ktp;Elantech Touchpad;c:\windows\system32\DRIVERS\Ktp.sys [2007-02-19 25984]
S2 0035631229270478mcinstcleanup;McAfee Application Installer Cleanup (0035631229270478);c:\windows\TEMP\003563~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17da9ea0-f7e0-11db-a0a7-00030d000001}]
\Shell\AutoRun\command - F:\innodisk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42fcd6e9-149b-11dc-a0ba-00030d000001}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42fcd6ea-149b-11dc-a0ba-00030d000001}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pServerMouse.exe
\Shell\Explore\Command - pServerMouse.exe
\Shell\Open\Command - pServerMouse.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b46ea457-7335-11dd-a3d8-00030d000001}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e019aa4e-f8aa-11db-a0a9-00030d000001}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4d9ca6b-5dd6-11dd-a38e-00030d000001}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MyImages.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9ca4b22-5c7b-11dd-a389-00166fc34140}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*https://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*https://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*https://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://id.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-12-15 13:04:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
.
**************************************************************************
.
Completion time: 2008-12-15 13:07:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-15 13:07:04

Pre-Run: 31,391,436,800 bytes free
Post-Run: 32,117,452,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

292 --- E O F --- 2008-12-11 03:04:32


Please check it...thanks...
Posted 12/17/2008 8:18 AM
#70031
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
How are things running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/17/2008 1:09 PM
#70038
User avatar

oxden Member

Date Joined Nov 2016
Total Posts: 8
the google/yahoo result does not redirect to another site..it is normal now...
Posted 12/18/2008 4:17 AM
#70068
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Sounds good :smile:





Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.







Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.



Also, please read this article by Tony Klein: How I got Infected in the First Place

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/19/2008 8:33 AM
#70121
User avatar

oxden Member

Date Joined Nov 2016
Total Posts: 8
millions thanks for ur help Touch..you are the best...
Posted 12/19/2008 10:58 AM
#70124
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Thank You :smile:





Since this issue appears to be resolved ... this Topic has been closed.
If you need this topic reopened, please contact Me with the address of the thread.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Monday, August 8, 2022, 9:25 PM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
38 Guest(s), 0 Registered Member(s) are currently online.