Hesperian
asked on
I am getting a redirect to download "ie-av.exe" saying that I have a virus
As stated in the title when I open IE6 I get redirected to a makebelieve virus scanning site that tries to dowload a file named ie-av.exe. Any web browsing causes this to happen. I have seen a similar problem mentioned on you site and was hoping you could help me out.
Following the advice given in the previous tread i mentioned above I downloaded and ran ComboFix. Please look over the attached log file and direct me on how to remove this.
Thanks in advance.
Following the advice given in the previous tread i mentioned above I downloaded and ran ComboFix. Please look over the attached log file and direct me on how to remove this.
Thanks in advance.
ComboFix 08-07-15.4 - Carol 2008-07-17 19:02:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.420 [GMT -7:00]
Running from: C:\Documents and Settings\Carol\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\iexpfl.dll
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\mkghj.dll
C:\WINDOWS\system32\richvideocodec.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.
2008-07-17 18:59 . 2008-07-17 19:00 <DIR> d-------- C:\hjt
2008-07-17 13:03 . 2008-07-17 13:43 50,448 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-07-17 13:03 . 2008-07-17 13:43 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-07-17 13:03 . 2008-07-17 13:43 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-07-17 13:03 . 2008-07-17 13:43 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-07-17 13:03 . 2008-07-17 13:43 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-07-17 13:03 . 2008-07-17 13:43 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-07-17 13:03 . 2008-07-17 13:43 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-07-17 13:03 . 2008-07-17 13:43 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-07-17 11:33 . 2008-07-17 13:09 378 --a------ C:\WINDOWS\system32\CTSTATUS.FCS
2008-07-17 11:29 . 2008-07-17 16:29 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\CallingID
2008-07-17 11:19 . 2008-07-17 16:30 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-07-17 11:15 . 2008-07-17 11:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 11:14 . 2008-07-17 11:14 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-07-17 11:07 . 2008-07-17 11:29 <DIR> d-------- C:\Program Files\CA
2008-07-17 11:07 . 2008-07-17 11:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-07-17 01:57 . 2008-07-17 01:57 <DIR> d-------- C:\Program Files\Sophos
2008-07-15 16:08 . 2008-07-15 20:44 <DIR> d-------- C:\Program Files\Shockwave.com
2008-07-15 14:01 . 2008-07-15 14:01 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\Alawar
2008-07-15 10:22 . 2008-07-15 10:22 <DIR> d-------- C:\My Games
2008-07-15 10:22 . 2008-07-16 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AlawarGameBox
2008-07-15 10:21 . 2008-07-15 10:22 <DIR> d-------- C:\Program Files\Alawar
2008-07-15 09:12 . 2008-07-15 09:12 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\Balloon Express
2008-07-14 14:31 . 2008-07-14 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreshGames
2008-07-14 13:29 . 2008-07-15 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VirtualFarm
2008-07-11 17:40 . 2008-07-11 17:40 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-07-09 11:07 . 2008-07-09 11:07 <DIR> d-------- C:\BS1pr20083
2008-06-30 16:30 . 2008-06-30 16:30 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\EPSON
2008-06-29 14:47 . 2008-06-29 14:47 <DIR> d-------- C:\EPSONREG
2008-06-29 14:47 . 2008-06-29 14:47 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\Leadertech
2008-06-29 14:44 . 2008-06-29 14:44 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-06-29 14:44 . 2008-06-29 14:45 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-06-29 14:44 . 2008-06-30 16:42 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\ArcSoft
2008-06-29 14:44 . 2004-08-04 07:52 413,696 -ra------ C:\WINDOWS\system32\msvc4f9d.rra
2008-06-29 14:44 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-06-29 14:44 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-06-29 14:44 . 2006-10-20 16:11 126,976 --a------ C:\WINDOWS\system32\PhotoImpression Slideshow.scr
2008-06-29 14:44 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-06-29 14:43 . 2008-06-29 14:44 <DIR> d-------- C:\WINDOWS\system32\PhotoImpression Slideshow
2008-06-29 14:43 . 2008-06-29 14:44 <DIR> d-------- C:\Program Files\ArcSoft
2008-06-29 14:41 . 2008-06-29 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-06-29 14:41 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-29 14:41 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-29 14:39 . 2008-06-29 14:45 <DIR> d-------- C:\Program Files\epson
2008-06-29 14:39 . 2008-06-29 14:39 <DIR> d-------- C:\Documents and Settings\Carol\Application Data\InstallShield
2008-06-29 14:39 . 2007-04-18 00:00 67,072 --a------ C:\WINDOWS\system32\escwiad.dll
2008-06-29 14:38 . 2008-06-29 14:47 44 --a------ C:\WINDOWS\EPSCX9400Fax.ini
2008-06-26 14:18 . 2008-06-26 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eBay
2008-06-26 14:17 . 2008-06-26 14:17 <DIR> d-------- C:\Program Files\eBay
2008-06-26 14:17 . 2008-06-26 14:17 <DIR> d-------- C:\Documents and Settings\All Users\eBay
2008-06-24 12:07 . 2008-06-24 12:07 1,044,480 -ra------ C:\WINDOWS\system32\roboex32.dll
2008-06-24 12:07 . 2008-06-24 12:07 49,152 -ra------ C:\WINDOWS\system32\inetwh32.dll
2008-06-21 17:03 . 2008-06-21 17:03 <DIR> d-------- C:\Program Files\Activision
2008-06-20 10:41 . 2008-06-20 10:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 03:44 . 2008-06-20 03:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 18:30 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-07-17 18:30 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-07-17 18:28 2,732,032 ----a-w C:\WINDOWS\system32\win32cpr.dll
2008-07-17 18:28 1,564,771 ----a-w C:\WINDOWS\system32\winsflt.dll
2008-07-17 18:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 08:41 --------- d-----w C:\Program Files\iWin.com
2008-07-17 08:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2008-07-17 01:39 --------- d-----w C:\Program Files\Flower Stand Tycoon
2008-07-17 00:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 22:49 --------- d-----w C:\Program Files\PowerArchiver
2008-07-16 22:34 --------- d-----w C:\Program Files\MSN Games
2008-07-16 02:34 --------- d-----w C:\Documents and Settings\Carol\Application Data\PlayFirst
2008-07-15 20:58 --------- d-----w C:\Documents and Settings\Carol\Application Data\Gaijin Ent
2008-07-15 12:38 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-07-15 12:38 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-07-15 12:38 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-07-10 21:55 --------- d-----w C:\Program Files\Sportsbook Poker
2008-06-28 20:12 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-28 20:12 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-22 15:45 --------- d-----w C:\Program Files\Nancy Drew
2008-06-22 00:27 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-06-22 00:22 22,328 ----a-w C:\Documents and Settings\Carol\Application Data\PnkBstrK.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 18:51 --------- d-----w C:\Program Files\Coupons
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 06:13 --------- d-----w C:\Program Files\Absolute Poker
2008-06-06 22:47 --------- d-----w C:\Documents and Settings\Carol\Application Data\Creative Memories
2008-06-06 20:22 --------- d-----w C:\Program Files\Creative Memories
2008-06-02 20:06 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-02 20:06 83,256 ----a-w C:\WINDOWS\system32\vetredir.dll
2008-06-02 20:06 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-02 20:06 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-02 20:06 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-02 20:06 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-02 20:05 99,568 ----a-w C:\WINDOWS\system32\isafeif.dll
2008-06-01 04:51 --------- d-----w C:\Documents and Settings\Carol\Application Data\Ludia
2008-06-01 04:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-05-29 23:47 --------- d-----w C:\Documents and Settings\Carol\Application Data\ITTNord
2008-05-28 05:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\ConeXware
2008-05-26 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-25 20:53 --------- d-----w C:\Documents and Settings\Carol\Application Data\Sudden Games
2008-05-25 20:53 --------- d-----w C:\Documents and Settings\Carol\Application Data\Gogii Games
2008-05-25 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii Games
2008-05-19 02:32 --------- d-----w C:\Documents and Settings\Carol\Application Data\AdobeUM
2008-05-18 21:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-18 00:44 --------- d-----w C:\Documents and Settings\Carol\Application Data\Gamelab
2008-05-18 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\gamelab
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 13:04 196608]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-10 19:22 68856]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 03:58 206184]
"PowerArchiver Tray"="C:\Program Files\PowerArchiver\PASTARTER.EXE" [2007-11-30 08:08 140328]
"EPSON Stylus CX9400Fax Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE" [2007-03-23 06:00 182272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-05 18:08 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-04-04 15:46 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-04-04 15:46 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-04-04 15:46 259336]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-07 16:39 181512]
"dvHighMem"="C:\WINDOWS\cfgmng32.exe" [2007-11-14 12:34 11333632]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-06-02 13:06 234736]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-07-17 11:29 14088]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll" [2007-10-15 21:40 1373624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"C:\\Sierra\\EmperorRotMK\\Emperor.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Sierra\\Empire Earth - The Art of Conquest\\EE-AOC.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Sierra\\Empire Earth II\\EE2.exe"=
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-22 20:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-22 20:39]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 10:24]
R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 10:24]
R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2007-05-18 13:30]
R2 WinSvchostManager;WinSock Svchost Manager;C:\WINDOWS\system32\svcprs32.exe [2007-11-14 12:35]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
R3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-04-10 10:39]
S3 Boonty Games;Boonty Games;C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe []
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\8.tmp []
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 18:29:14 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Carol at 11 29 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 19:06:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\8.tmp"
.
Completion time: 2008-07-17 19:09:39
ComboFix-quarantined-files.txt 2008-07-18 02:09:20
Pre-Run: 5,231,628,288 bytes free
Post-Run: 5,243,576,320 bytes free
225 --- E O F --- 2008-07-09 10:00:37
Last Comment
You have spyware. Download and update a decent Anti-Malware program. I suggest Nod32. Google it. Download the free 30 day trial.
ASKER
OK here is the HJT log file
As to bradfullers response I am already running the paid version of CA internet securirty on the system as well as having scaned the drive both online and off line fro several antivirus ans anti spyware engines. They have all been unablr to even see this infection
As to bradfullers response I am already running the paid version of CA internet securirty on the system as well as having scaned the drive both online and off line fro several antivirus ans anti spyware engines. They have all been unablr to even see this infection
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:37 PM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_SA1.tmp" /EF "HKCU"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Yahtzee\Images\stg_drm.ocx
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - http://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174374241281
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.6.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRDG/dataFiles_64916/heartbeat.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Magic Farm\Images\armhelper.ocx
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://intertops.microgaming.com/Intertops/FlashAX2.cab
O23 - Service: Boonty Games - Unknown owner - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (file missing)
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
--
End of file - 10633 bytes
Okay- start with removing O2 and O3 ask.dll lines as well as O23 boonty games line (boonty.exe) These files are all missing.
Then remove all R0 and R1 lines EXCEPT the one with yahoo.com (this should be your normal homepage--correct?)
Then remove all R0 and R1 lines EXCEPT the one with yahoo.com (this should be your normal homepage--correct?)
ASKER
um no the normal home page is blank
ASKER
and how exactly do I go about removing the items you suggested?
Okay- delete the one with yahoo and leave the about.blank line alone.
And here are the manual delete instructions for that self advertising program-- I would boot into safe mode to do them.
Manual Removal Instructions:
Stop IEAntiVirus Processes:
ieav.exe
ie-av.exe
ieavinstaller.exe
Find and Delete these IEAntiVirus Files:
ieav.exe
ieavinstaller.exe
%desktopdirectory%\ie antivirus 3.2.lnk
%program_files%\ieantiviru
%program_files%\ieantiviru
%program_files%\ieantiviru
%program_files%\ieantiviru
%program_files%\ieantiviru
%program_files%\ieantiviru
%programs%\ie antivirus 3.2.lnk
antivir.exe
ie-av.exe
uninst.exe
%desktopdirectory%\ie antivirus 3.3.lnk
%program_files%\ieantiviru
%programs%\ie antivirus 3.3.lnk
%program_files%\ieantiviru
uninst.exe
ie-av.exe
Remove IEAntiVirus Registry Values:
HKEY_CURRENT_USER\software
HKEY_CURRENT_USER\software
HKEY_CURRENT_USER\software
HKEY_LOCAL_MACHINE\softwar
And here are the manual delete instructions for that self advertising program-- I would boot into safe mode to do them.
Manual Removal Instructions:
Stop IEAntiVirus Processes:
ieav.exe
ie-av.exe
ieavinstaller.exe
Find and Delete these IEAntiVirus Files:
ieav.exe
ieavinstaller.exe
%desktopdirectory%\ie antivirus 3.2.lnk
%program_files%\ieantiviru
%program_files%\ieantiviru
%program_files%\ieantiviru
%program_files%\ieantiviru
%program_files%\ieantiviru
%program_files%\ieantiviru
%programs%\ie antivirus 3.2.lnk
antivir.exe
ie-av.exe
uninst.exe
%desktopdirectory%\ie antivirus 3.3.lnk
%program_files%\ieantiviru
%programs%\ie antivirus 3.3.lnk
%program_files%\ieantiviru
uninst.exe
ie-av.exe
Remove IEAntiVirus Registry Values:
HKEY_CURRENT_USER\software
HKEY_CURRENT_USER\software
HKEY_CURRENT_USER\software
HKEY_LOCAL_MACHINE\softwar
Also,
If you are using firefox:
Go to Tools > Add-Ons > and disable all of them--see if this fixes the problem.
Also clear you entire browsing history and cookies.
If you are using firefox:
Go to Tools > Add-Ons > and disable all of them--see if this fixes the problem.
Also clear you entire browsing history and cookies.
For Internet Explorer:
Click Tools > Manage Add-Ons > Enable or Disable Add-Ons
Click on an add-ons name the click disable to disable it.
Look out for one called IE ext and get rid of it.
Click Tools > Manage Add-Ons > Enable or Disable Add-Ons
Click on an add-ons name the click disable to disable it.
Look out for one called IE ext and get rid of it.
ASKER
ok sorry for sounding slow here those processes are not running as i have never installed the ie-av.exe file. In fact I don't see those processes listed on the hjt log either. Am I missing something here?
Hesperian,
I have sent emails to 'rpggamergirl' and 'IndiGenus' asking them to review this question.
They are both well-trained and qualified (by the actual anti-malware developers) to give advice with these kinds of problems.
Please be aware that anyone can post Expert advice here on EE, but not all Experts are created equal.
You will note by looking at the Hall of Fame statistics that the two Experts I mention are the top ranked in this Zone. To get more information on anyone offering you advice, just click on their name to get an idea of their experience and success here on EE.
I have sent emails to 'rpggamergirl' and 'IndiGenus' asking them to review this question.
They are both well-trained and qualified (by the actual anti-malware developers) to give advice with these kinds of problems.
Please be aware that anyone can post Expert advice here on EE, but not all Experts are created equal.
You will note by looking at the Hall of Fame statistics that the two Experts I mention are the top ranked in this Zone. To get more information on anyone offering you advice, just click on their name to get an idea of their experience and success here on EE.
to remove this on a client's machine, all I did was run roguefix from safemode, which can be found here:
http://www.internetinspiration.co.uk/roguefix.htm#uninstall
http://www.internetinspiration.co.uk/roguefix.htm#uninstall
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Restore your Windows host file as well, the virus/malware has infected it and so the redirection will continue to happens and downloads of the malware will never stops.
I use a very useful tool for that called hostxpert from majorgeeks website, Find it below with the instructions of using the program.
http://forums.majorgeeks.com/showthread.php?t=138700
Good Luck
I use a very useful tool for that called hostxpert from majorgeeks website, Find it below with the instructions of using the program.
http://forums.majorgeeks.com/showthread.php?t=138700
Good Luck
I pop this pre-configured 'HOSTS' file into every computer I work on:
http://www.mvps.org/winhelp2002/hosts.htm
The MS MVP who developed this updates it about twice a month, but even if you don't do the updates, it is a great starting point for any Windows OS.
http://www.mvps.org/winhelp2002/hosts.htm
The MS MVP who developed this updates it about twice a month, but even if you don't do the updates, it is a great starting point for any Windows OS.
Hi Hesperian,
Glad to know it's been resolved. Thanks for the points.
May I ask, if it's okay with you if I share points with younghv as he brought me to this thread and he also has an excellent suggestion here {http:#22058296}
Thanks!
Glad to know it's been resolved. Thanks for the points.
May I ask, if it's okay with you if I share points with younghv as he brought me to this thread and he also has an excellent suggestion here {http:#22058296}
Thanks!
Anti-Virus Apps
Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.
23K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
-Steve