Author Topic: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!  (Read 4463 times)

0 Members and 1 Guest are viewing this topic.

Offline zerofun1224

  • Bronze Member
  • Posts: 22
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #15 on: May 31, 2009, 12:47:56 pm »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:43 PM, on 5/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net?cid=NET_mmhpset
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [Desktop Software] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe"  /ini "uinstaller.ini" /fromrun /starthidden
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (oacat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Online Armor (svconlinearmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 10637 bytes

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7948
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #16 on: May 31, 2009, 01:01:26 pm »
Hi,

You can uninstall the Logitech Desktop Messenger - it is pretty much useless.

What about the redirections?
Don't Read?  Can't learn!

Offline zerofun1224

  • Bronze Member
  • Posts: 22
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #17 on: May 31, 2009, 02:03:25 pm »
still going on unfortantly, and I am uninstalling that now. thanks for the tip

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7948
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #18 on: May 31, 2009, 02:49:23 pm »
Hi,

I need you to run ComboFix again using the drag and drop method, only using a new code below:

Code: [Select]

Killall::

File::
c:\windows\PEV.exe
c:\windows\system32\CF883.exe
c:\windows\system32\CF795.exe
c:\windows\system32\update344502671.exe
c:\windows\system32\541106016.dat
c:\windows\system32\_id.dat

Folder::
C:\ComboFix

Driver::
NwSapAgent
PciCon

DirLook::
c:\windows\system32\sysloc


Please post the following:

a. the new combofix.txt
b. a fresh HJT log
c. please tell me if the redirections are any better now.
Don't Read?  Can't learn!

Offline zerofun1224

  • Bronze Member
  • Posts: 22
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #19 on: May 31, 2009, 04:01:16 pm »
following the instructions I get


Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double

Deleting Files:

"C:\ComboFix\023.dat"
"C:\ComboFix\023v.dat"
"C:\ComboFix\ADS.dat"
"C:\ComboFix\appdata.folder.dat"
"C:\ComboFix\appinit.bad"
"C:\ComboFix\Assoc.cmd"
"C:\ComboFix\attr.dat"
"C:\ComboFix\Attrib.cfexe"
"C:\ComboFix\autorun_inf.dat"
"C:\ComboFix\autorun_infB.dat"
"C:\ComboFix\av.cmd"
"C:\ComboFix\av.vbs"
"C:\ComboFix\AWF"
"C:\ComboFix\AWF.cmd"
"C:\ComboFix\Boot-Rk.cmd"
"C:\ComboFix\Boot.bat"
"C:\ComboFix\BootSect.dll"
"C:\ComboFix\borlander_file.dat"
"C:\ComboFix\borlander_folder.dat"
"C:\ComboFix\c.bat"
"C:\ComboFix\cache.folder.dat"
"C:\ComboFix\Catch-sub.cmd"
"C:\ComboFix\catch_E.dat"
"C:\ComboFix\catch_k.dat"
"C:\ComboFix\catchme.cfexe"
"C:\ComboFix\CatchZipped.dat"
"C:\ComboFix\CCS.bat"
"C:\ComboFix\cfdummy"
"C:\ComboFix\Cfiles.dat"
"C:\ComboFix\Cfolders.dat"
"C:\ComboFix\CfReboot.dat"
"C:\ComboFix\cfrun"
"C:\ComboFix\cfscriptDequarantine00"
"C:\ComboFix\cfscriptFCollect00"
"C:\ComboFix\CFVersionOld"
"C:\ComboFix\CHCP.bat"
"C:\ComboFix\clsid.c"
"C:\ComboFix\clsid.dat"
"C:\ComboFix\Combo-Fix.sys"
"C:\ComboFix\Combobatch.bat"
"C:\ComboFix\ComboFix-Download.cfexe"
"C:\ComboFix\ComboFix.txt"
"C:\ComboFix\ConEnv.sed"
"C:\ComboFix\Cookies.folder.dat"
"C:\ComboFix\Create.cmd"
"C:\ComboFix\Creg.dat"
"C:\ComboFix\CregC.cmd"
"C:\ComboFix\CregC.dat"
"C:\ComboFix\CregC_.dat"
"C:\ComboFix\CSet.cmd"
"C:\ComboFix\d-del_A.dat"
"C:\ComboFix\d-del_B.dat"
"C:\ComboFix\d-delA.dat"
"C:\ComboFix\dd.cfexe"
"C:\ComboFix\DelClsid.bat"
"C:\ComboFix\desktop.folder.dat"
"C:\ComboFix\desktop.ini"
"C:\ComboFix\dll_whitelist.dat"
"C:\ComboFix\dnd.dat"
"C:\ComboFix\Do.dat"
"C:\ComboFix\DPF.str"
"C:\ComboFix\Drive.folder.dat"
"C:\ComboFix\Drives.dat"
"C:\ComboFix\dumphive.cfexe"
"C:\ComboFix\embedded.sed"
"C:\ComboFix\Env.sed"
"C:\ComboFix\ERDNT.e_e"
"C:\ComboFix\ERDNTDOS.LOC"
"C:\ComboFix\ERDNTWIN.LOC"
"C:\ComboFix\ErrTrap1"
"C:\ComboFix\ERUNT.cfexe"
"C:\ComboFix\erunt.dat"
"C:\ComboFix\ERUNT.LOC"
"C:\ComboFix\Exe.reg"
"C:\ComboFix\extract.cfexe"
"C:\ComboFix\f_system"
"C:\ComboFix\favorites.folder.dat"
"C:\ComboFix\FD-SV.cmd"
"C:\ComboFix\FdsvOK"
"C:\ComboFix\ffdefstr.dll"
"C:\ComboFix\files.pif"
"C:\ComboFix\Fin.dat"
"C:\ComboFix\FIND3M.bat"
"C:\ComboFix\FINDSTR.cfexe"
"C:\ComboFix\FIXLSP.bat"
"C:\ComboFix\FKMGen.cmd"
"C:\ComboFix\Fmove"
"C:\ComboFix\ForeignWht"
"C:\ComboFix\Gateway"
"C:\ComboFix\GetHive.cmd"
"C:\ComboFix\GOLDUN.DAT"
"C:\ComboFix\grep.cfexe"
"C:\ComboFix\gsar.cfexe"
"C:\ComboFix\handle.cfexe"
"C:\ComboFix\hidec.exe"
"C:\ComboFix\history.bat"
"C:\ComboFix\image001.gif"
"C:\ComboFix\katch.cmd"
"C:\ComboFix\KiLLNot"
"C:\ComboFix\kmd.dat"
"C:\ComboFix\Kollect.bat"
"C:\ComboFix\Lang.bat"
"C:\ComboFix\List-B.bat"
"C:\ComboFix\List-C.bat"
"C:\ComboFix\lnkread.vbs"
"C:\ComboFix\localappdata.folder.dat"
"C:\ComboFix\LocalService.dat"
"C:\ComboFix\LocalServiceNetworkRestricted.dat"
"C:\ComboFix\localsettings.folder.dat"
"C:\ComboFix\LocalSystemNetworkRestricted.dat"
"C:\ComboFix\Look.dat"
"C:\ComboFix\md5sum.pif"
"C:\ComboFix\MdPev"
"C:\ComboFix\miscfile.dat"
"C:\ComboFix\MissingFiles.dat"
"C:\ComboFix\moveex.cfexe"
"C:\ComboFix\MoveIt.bat"
"C:\ComboFix\mtee.cfexe"
"C:\ComboFix\MWindows.dat"
"C:\ComboFix\mynul.dat"
"C:\ComboFix\mypictures.folder.dat"
"C:\ComboFix\n.com"
"C:\ComboFix\N_\13298"
"C:\ComboFix\N_\26261"
"C:\ComboFix\N_\2652"
"C:\ComboFix\N_\29209"
"C:\ComboFix\N_\30713"
"C:\ComboFix\N_\5184"
"C:\ComboFix\ND_.bat"
"C:\ComboFix\ndis_combofix.dat"
"C:\ComboFix\netsvc.bad.dat"
"C:\ComboFix\netsvc.dat"
"C:\ComboFix\NetworkService.dat"
"C:\ComboFix\NirCmd.cfexe"
"C:\ComboFix\Nircmd.com"
"C:\ComboFix\NirCmdC.cfexe"
"C:\ComboFix\NlsLanguageDefault"
"C:\ComboFix\notifykeys.dat"
"C:\ComboFix\NT-OS.cmd"
"C:\ComboFix\NULL"
"C:\ComboFix\OsId.txt"
"C:\ComboFix\OSid.vbs"
"C:\ComboFix\OsVer"
"C:\ComboFix\pend.txt"
"C:\ComboFix\personal.folder.dat"
"C:\ComboFix\pev.cfexe"
"C:\ComboFix\pev.exe"
"C:\ComboFix\Policies.dat"
"C:\ComboFix\PreDIR"
"C:\ComboFix\Prep.inf"
"C:\ComboFix\PreRunDel00"
"C:\ComboFix\PreRunDel01"
"C:\ComboFix\Profiles.Folder.dat"
"C:\ComboFix\progfile.dat"
"C:\ComboFix\programs.folder.dat"
"C:\ComboFix\Purity.dat"
"C:\ComboFix\pv.cfexe"
"C:\ComboFix\RCLink.dat"
"C:\ComboFix\RcRdy"
"C:\ComboFix\RcVer00"
"C:\ComboFix\REGDACL.sed"
"C:\ComboFix\region.dat"
"C:\ComboFix\RegScan.cmd"
"C:\ComboFix\regt.cfexe"
"C:\ComboFix\Resident.txt"
"C:\ComboFix\restore_pt.dat"
"C:\ComboFix\RestoreO4.bat"
"C:\ComboFix\Rkey.cmd"
"C:\ComboFix\rogues.dat"
"C:\ComboFix\run.sed"
"C:\ComboFix\run2.sed"
"C:\ComboFix\safeboot.dat"
"C:\ComboFix\safeboot.def.dat"
"C:\ComboFix\safeboot.def.vista.dat"
"C:\ComboFix\SafeBootRepair.bat"
"C:\ComboFix\sed.cfexe"
"C:\ComboFix\SetEnvmt.bat"
"C:\ComboFix\SetPath.bat"
"C:\ComboFix\setpath.cfexe"
"C:\ComboFix\SF.exe"
"C:\ComboFix\sfx.cmd"
"C:\ComboFix\SnapShot.cmd"
"C:\ComboFix\SRestore.cmd"
"C:\ComboFix\srizbi.md5"
"C:\ComboFix\startmenu.folder.dat"
"C:\ComboFix\startup.folder.dat"
"C:\ComboFix\StartUpFileB.dat"
"C:\ComboFix\SuppScan.cmd"
"C:\ComboFix\Suspect_feixue"
"C:\ComboFix\svc_wht.dat"
"C:\ComboFix\SvcDrv.vbs"
"C:\ComboFix\svchost.dat"
"C:\ComboFix\SvcTarget.dat"
"C:\ComboFix\swre.exe"
"C:\ComboFix\SWREG.cfexe"
"C:\ComboFix\swreg.exe"
"C:\ComboFix\swsc.cfexe"
"C:\ComboFix\swxcacls.cfexe"
"C:\ComboFix\SysPath.dat"
"C:\ComboFix\system_ini.dat"
"C:\ComboFix\tail.cfexe"
"C:\ComboFix\templates.folder.dat"
"C:\ComboFix\toolbar.sed"
"C:\ComboFix\unhand.dat"
"C:\ComboFix\v_wht.dat"
"C:\ComboFix\ViPev"
"C:\ComboFix\vistareg.dat"
"C:\ComboFix\vRun_DLL"
"C:\ComboFix\vundonames.dat"
"C:\ComboFix\w2kreg.dat"
"C:\ComboFix\whitedir.dat"
"C:\ComboFix\whitedirCreated.dat"
"C:\ComboFix\Windir.dat"
"C:\ComboFix\Wmi_rem.vbs"
"C:\ComboFix\WowErr.dat"
"C:\ComboFix\XP.mac"
"C:\ComboFix\xpreg.dat"
"C:\ComboFix\zDomain.dat"
"C:\ComboFix\zerofun.user.cf"
"C:\ComboFix\zhsvc.dat"
"C:\ComboFix\zip.cfexe"
"C:\ComboFix\Zlob01"
"c:\windows\PEV.exe"
The batch file cannot be found.

then the program hangs for abit. closes and explorer starts up again
« Last Edit: May 31, 2009, 04:11:33 pm by zerofun1224 »

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7948
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #20 on: May 31, 2009, 04:15:05 pm »
Hi,

That looks like an incomplete log.  Did you actually run it from the desktop copy of ComboFix?  Among other things, I was deleting your old copy of ComboFix which was running from the wrong location and which was old as well.  That was sitting in C:\Combofix and it looks to me as if you may have run ComboFix by dragging the CFScript.txt file over a desktop shortcut for ComboFix.

Tell you what, delete any copies of ComboFix, shortcuts or otherwise, from your Desktop.  Download a fresh copy to your Desktop and run that script again. 
Don't Read?  Can't learn!

Offline zerofun1224

  • Bronze Member
  • Posts: 22
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #21 on: May 31, 2009, 04:35:20 pm »
PCB
I downloaded it again. Saved to desktop. Created the CFScript.txt saved that to my desktop. dragged. ran with the same outcome. the program stops responding then closes and Explorer.exe restarts 

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7948
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #22 on: May 31, 2009, 04:39:49 pm »
Hi,

Very strange.  I'll do this an alternative way.  And, I want to use an alternative diagnostic as well.  I have to leave for the day now, but will be back on tomorrow and will post then.
Don't Read?  Can't learn!

Offline zerofun1224

  • Bronze Member
  • Posts: 22
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #23 on: May 31, 2009, 04:42:38 pm »
Alright thanks for all your effort.

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7948
Re: [In Progress]i get redirected !!!!!!!9129837.exe!!!!!!!!!!!
« Reply #24 on: June 01, 2009, 02:47:18 pm »
Hi,

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below between the dotted lines to the clipboard by highlighting it and then pressing Ctrl+C.
    ------------------------------------------------------------------------------------
    Files to delete:
    c:\windows\PEV.exe
    c:\windows\system32\CF883.exe
    c:\windows\system32\CF795.exe
    c:\windows\system32\update344502671.exe
    c:\windows\system32\541106016.dat
    c:\windows\system32\_id.dat

    Folders to delete:
    C:\ComboFix

    Drivers to delete:
    NwSapAgent
    PciCon
    ------------------------------------------------------------------------------------
  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.
Then run ComboFix again without using any CFScript.txt.  Just run it by double clicking on it.

Please post the following:

a. the Avenger log
b. combofix.txt
c. a fresh HJT log
d. please post whether the redirections have been taken care of.
Don't Read?  Can't learn!