Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PHP:Redirector-P [Trj]

Started by Junius , Jun 06 2011 09:36 PM

  • This topic is locked This topic is locked

#16
Junius
Posted 20 June 2011 - 01:40 PM

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hello,

Here is the ComboFix.txt Log

ComboFix 11-06-19.0r1 - Bob 06/20/2011 14:19:46.1.4 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.6071.4946 [GMT -5:00]
Running from: c:\users\Bob\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
L:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))
.
.
2011-06-19 18:13 . 2011-06-19 18:13 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-06-18 20:15 . 2011-06-18 20:15 -------- d-----w- c:\programdata\Kaspersky Lab
2011-06-18 18:16 . 2011-06-18 18:16 -------- d-----w- C:\GMER
2011-06-17 11:06 . 2011-05-09 22:00 8718160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F4EE75B9-C9B9-4B9C-B05D-D7630D73F780}\mpengine.dll
2011-06-16 02:30 . 2011-04-25 05:32 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-16 02:30 . 2011-04-25 02:44 499712 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-14 18:53 . 2011-06-14 18:53 -------- d-----w- c:\users\Bob\AppData\Roaming\Malwarebytes
2011-06-14 18:53 . 2011-06-14 18:53 -------- d-----w- c:\programdata\Malwarebytes
2011-06-14 18:53 . 2011-05-29 14:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-14 18:53 . 2011-06-14 18:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-06-14 18:53 . 2011-05-29 14:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-14 18:23 . 2011-06-14 18:23 -------- d-----w- C:\_OTL
2011-06-11 14:46 . 2011-05-10 12:04 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-07 17:35 . 2011-06-07 17:35 103864 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2011-05-25 00:54 . 2011-04-22 20:18 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-24 16:35 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-05-24 16:35 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
2011-05-22 17:06 . 2011-05-22 17:06 -------- d-----w- c:\users\Bob\AppData\Roaming\HPSS
2011-05-22 17:06 . 2011-05-22 17:06 -------- d-----w- c:\programdata\HPSS
2011-05-22 17:05 . 2001-09-05 09:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-05-22 17:05 . 2001-09-05 09:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-05-22 17:05 . 2001-09-05 09:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-05-22 17:05 . 2003-04-16 23:26 614532 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-05-22 17:05 . 2001-09-05 09:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-09 02:59 . 2011-05-18 22:53 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-10 12:10 . 2010-07-04 06:09 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2010-07-04 06:09 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-05-10 12:10 . 2011-01-20 13:00 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:04 . 2010-07-04 06:09 287576 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-07-04 06:09 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2010-07-04 06:09 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-07-04 06:09 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2010-07-04 06:09 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-04 09:52 . 2010-07-07 18:48 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-04-09 06:45 . 2011-05-11 20:33 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-11 20:33 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 20:33 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-04-01 14:10 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-25 03:23 . 2011-05-11 20:32 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-03-25 03:23 . 2011-05-11 20:32 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-25 03:23 . 2011-05-11 20:32 324608 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-03-25 03:22 . 2011-05-11 20:32 52224 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-03-25 03:22 . 2011-05-11 20:32 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-03-25 03:22 . 2011-05-11 20:32 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-03-25 03:22 . 2011-05-11 20:32 7936 ----a-w- c:\windows\system32\drivers\usbd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-09-29 1685048]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"CTRegRun"="c:\windows\CTRegRun.EXE" [2006-10-06 53248]
"CAHeadless"="c:\program files (x86)\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe" [2009-09-06 615808]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]
"SPIRunE"="SPIRunE.dll" [2009-03-05 18432]
"VolPanel"="c:\program files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2009-07-07 241789]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
HP SimpleSave Monitor.lnk - c:\users\Bob\AppData\Roaming\HP SimpleSave Application\StartHelper.exe [2011-5-22 477080]
OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-17 136176]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-07-04 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-06-29 79360]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-17 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 BackupService;BackupService;c:\users\Bob\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe [2010-07-01 83512]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-01-25 92216]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-17 01:14]
.
2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-17 01:14]
.
2011-06-18 c:\windows\Tasks\HPCeeScheduleForBob.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
2011-05-31 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-14 610360]
"PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\rk8kmde7.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D} - c:\program files (x86)\InstallShield Installation Information\{E92D47A1-D27D-430A-8368-0BAFD956507D}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\windows\SysWOW64\rundll32.exe
c:\users\Bob\AppData\Roaming\HP SimpleSave Application\HPSSBackupMonitor.exe
c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
.
**************************************************************************
.
Completion time: 2011-06-20 14:28:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-20 19:28
.
Pre-Run: 555,057,852,416 bytes free
Post-Run: 554,687,262,720 bytes free
.
- - End Of File - - 1FF2044CAF5699ED04E8E4C2D3908BA2
  • 0

Advertisements

#17
mitch8
Posted 20 June 2011 - 03:18 PM

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Hi,

Your system looks fine, your ebooks that you downloaded are infected which is causing your anti-virus to freak out. I would delete them and your backups. You can see the list of infected books on post 14. I'm not sure if the scan removed them or not, it just said detected. Can you check to make sure they are gone? After that is done can you run another scan with your anti-virus?
  • 0

#18
Junius
Posted 20 June 2011 - 04:27 PM

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hello,

After completing the ComboFix scan and posting it here, I did Avast scans, which just completed.

Results are:

Full System Scan:

No Threats/Viruses found.

Boot-Time Scan:

Corrupted file found:

File C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\resources\guid.zip |>HPSAUpgrade.exe Error 42125 {ZIP archive is corrupted}

Infected file found:

File L:\BOB-PC\Backup Set 2010-08-13 030125\Backup Files 2010-08-13 030125\Backup Files 26.zip | Users\BOB\Documents\Joel Comm Free Bonsus\fashion school.zip |>fasion-school-site\flags.php is infected by PHP:Redirector-P [Tjr]

Virus Chest entry shows:

Name: fashion-school-site\flags.php
Original Location: L:\BOB-PC\Backup Set 2010-08-13 030125\Backup Files 2010-08-13 030125\Backup Files 26.zip |>C\Users\BOB\Documents\Joel Comm Free Bonsus\fashion school.zip
Last changed: 6/19/2011 3:59:46 AM
Transfer time: 6/19/2011 4:00:39 AM
Virus: PHP:Redirector-P [Trj]

This is the same as found in post #14 above when I ran the boot-time scan back then.

I'll delete that entire *Backup Set 2010-08-13 030125 from drive L: (external back up drive). Then run Avast again.

Will also check that ebook files detected were removed, if not will delete per you instructions. Then run Avast again.
  • 0

#19
mitch8
Posted 20 June 2011 - 05:23 PM

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
OK, sounds good.
  • 0

#20
Junius
Posted 21 June 2011 - 07:10 AM

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hello,

Whewww what an adventure - LOL.

I finallyyyyy got *clean* Avast *full system* and *boot-time* scans around 4 AM this morning. But, I'm not certain everything is cleaned out yet. I'm going to run Avast scans around noon today, then again this evening - hopefully, they won't show any infections, etc. I'll post here tonight with all the details.

Again, thank you very much for your help.
  • 0

#21
Junius
Posted 21 June 2011 - 04:59 PM

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hello,

I checked all the files listed in Post #14 above. It appeared the *detected* files were deleted on C: drive.

On L: drive (external back up) I deleted the entire Back Up Set 2010-08-13. Then checked the files listed in Post #14 above. It appeared the *detected* files were deleted on L: drive.

I then ran Avast Full System and Boot-Time scans. No threats on C: drive.

But, L: drive (external back up) still had the PHP:Redirector-P [Tjr] in the 2010 September Back Up Set. Showed it in the same *detected* file as it was in the 2011-08-13 Back Up Set. Moved it to the Chest.

Deleted 2010 September Back Up Set from L: drive.

Ran Avast Full System and Boot-Time scans, again.

Full System scan found: unp194105916.tmp at C:\Windows\temp [PHP:Rediector-P [Tjr].

Moved it to Virus Chest.

Boot-time scan found: The same *detected* file as was in the 2010-08-13 Back Up Set in the 2010 October Back Up Set on L: drive.

Moved it to Virus Chest.

Then deleted 2010 October Back Up Set from L: drive.

Then deleted ALL Back Up Sets from L: drive prior to 2011-04-06.

Then deleted the entire Directory(folder) for all ebook files listed in Post #14 above on C: drive (the malware remove tool only deleted the file within the directories that it detected were infected, and left the remaining files in the directories).

Ran Avast Full System and Boot-time scans again.

C: drive was clean with no threats detected.

Boot-time scan found the same PHP:Redirector-P [Tjr] on L: drive 2011-04-06 Back Up Set.

I moved it to Virus Chest.

Then deleted 2011-04-06 Back Up Set from L: drive.

I ran Avast Full System and Boot-time scans, again.

Full System Scan detected no infections on C: or L: drives.

Boot-time Scan detected no infections on C: or L: drives.

I ran Avast Full System and Boot-time scans 2 more times today. Both times results were clean with no infections detected on either C: or L: drives.

BUT ....

After we ran the GMER Scan (see Post #14) whenever I do a *boot-time* scan (Avast) this *corrupted* file is found on C: drive:

File C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\resources\guid.zip |>HPSAUpgrade.exe Error 42125 {ZIP archive is corrupted}

This has shown up on every Boot-time scan I've done since running the GMER Scan.

It has never shown up during boot-time scans before. So I'm wondering if the corruption might have been caused by the GMER Scan, or not. Also, what the fix might be. Any words of wisdom on the matter?

Again, thank you for your help - veryyyyyyyyyy much appreciated!

Edited by Junius, 21 June 2011 - 05:03 PM.

  • 0

#22
mitch8
Posted 21 June 2011 - 06:44 PM

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
I doubt that GMER would cause that in the log. It's nothing to worry about, it's just saying that some file can be scanned within the zip file. If you really want to stop that warning you could always uninstall HP health check remove the file and install it again.
  • 0

#23
Junius
Posted 21 June 2011 - 07:23 PM

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hello,

1. OK, just wanted to get your input on the HP Health Check file. I'll contact HP and let them take care of it under the On-Site service contract/warranty I have with them.

2. Can I assume we are done cleaning my computer, or is the more to do.

3. Do I need to keep all the Logs we created or is it okay to delete them now. Also, should I keep the Scan programs on my computer or uninstall them?

4. I have another computer with Windows 98SE O/S - It has Avast 4.8 Home on it which is about to expire. I recall reading someplace that Avast is no longer supporting 4.8 and that it is the last version that will work on 98SE. Do you know of another anti-virus that works on 98SE? Or, if Avast 6 works on 98SE?

5. Last but not least: There used to be a *tip jar (donate)* button on the site. I can't seem to find it (or maybe I'm blind - lol) as I'd like to send you a tip for helping me.

Again, thank you for all your time, knowledge and assistance - much appreciated!
  • 0

#24
mitch8
Posted 21 June 2011 - 09:03 PM

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Hi,

Unfortunately that was the last avast version to support windows 98. The only anti-virus system I can find that works on windows 98 is ClamWin however it doesn't provided you with real time protection, so it won't block anything, you have to do manual scans.

Thank you for wanting to donate. :unsure: I don't accept donations but you can donate directly to this website. Information about that is located here.

It looks like your log is clean :) You need to remove the malware removal tools from your computer, to do that:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
[CLEARALLRESTOREPOINTS]
  • Then click the Run Fix button at the top

After it is done open up OTL and click on CleanUp Once it is done removing the tools you can delete anything else that is leftover. (so yes, you can delete the logs.)

Please follow the steps below to keep your computer clean.

  • Update your computer - To check for updates yourself click on start then type in Windows Update in the search bar and select it. In the left pane, click Check for updates, and then wait while Windows looks for the latest updates for your computer.
  • Update Adobe Reader- It's good to keep Adobe Reader updated to because many security problems are fixed in updates. To check for updates:
    • Open Adobe Reader
    • On the menu bar click on help then check for updates...
    • The program will then tell you if updates are available
  • Anti-spyware programs - These programs will scan your computer and delete spyware. If you do not have any anti-spyware programs on your computer I recommend:
    • Malware Bytes (Malware Bytes is already on your system. You can use it to scan for malware manually or you can uninstall it if you don't want it.)
    • SUPERAntiSpyware
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A good tutorial on SpywareBlaster can be found at http://www.bleepingcomputer.com/tutorials/tutorial49.html
  • Safe web browsing - You can install one of the toolbars below that will warn you about a malicious website.
  • Update your security software! You have to update you security software to make sure your computer is safe from new malware threats.
  • And also see TonyKlein's article
    So how did I get infected in the first place?

  • 0

#25
mitch8
Posted 27 June 2011 - 11:49 AM

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP