PDA

View Full Version : Strange results on Google



Jacquie
21-01-2009, 10:07 AM
Hi. A couple of days ago my NOD32 found some infected files and deleted them. Since then I have been getting strange results on google on firefox and IE. I search for something obvious and all the top results have the words you would expect but funny internet addresses and the real company is some where futher down the page. I reran NOD and it can't find anything, what can I do?

pctek
21-01-2009, 10:11 AM
What for example? GIve us one and I'll see what I get.

You could have spyware, did you scan with antispyware as well?

If not then:

Spybot
Malware Bytes

Blam
21-01-2009, 10:12 AM
Firstly, download HijackThis (http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe): and run it, then post a log here.

Meanwhile, Download MalwareBytesAntiMalware, update then do a full scan.

Cheers
Blam

pkm
21-01-2009, 10:21 AM
Search hijacking seems more popular recently. It might help to check the log,and see what malware it actually removed.

I found this blog quite interesting. Install a wierd browser to compare?http://www.oldapps.com/

http://www.avertlabs.com/research/blog/index.php/2008/12/04/beware-of-fake-alert-tour-driven-by-malware-team/

CYaBro
21-01-2009, 12:28 PM
Sounds like the TSSServ rootkit.

Open Device Manager, Click View - Show Hidden Devices.
Scroll down to Non-plugnplay devices and under that look for TSSServ.sys.
If it is there right-click and disable it.
Restart the PC and run Malwarebytes.

Agent_24
21-01-2009, 03:44 PM
A friend of mine recently had some malware that interfered with his google searches, I think it was a Vundo variant of some sort

Jacquie
21-01-2009, 04:38 PM
Hi, thanks for all your help. I looked for that device tssserv.sys but couldn’t find it.

I tried Hijack this and got this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:19 p.m., on 21/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\CYBERL~1\SHARED~1\RICHVI~1.EXE
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Brother\Brmfcmon\brmfcwnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Jacquie May\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q306&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q306&bd=presario&pf=laptop
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.digitalmax.co.nz/ImageUploader/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 10759 bytes

This is what my NOD scan which found infected files said:

Scan performed at: 14/01/2009 19:46:33 p.m.
Scanning Log
NOD32 version 3763 (20090113) NT
Operating memory - is OK

Date: 14.1.2009 Time: 19:46:40
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:; D:
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\ntuser.dat - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Mozilla\Firefox\Profiles\phbpkv8w.default\par ent.lock - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Mozilla\Firefox\Profiles\phbpkv8w.default\pla ces.sqlite-journal - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\call256.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\callmember256.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\chat4096.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\chat512.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\chat8192.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\chatmember256.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\chatmsg1024.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\chatmsg2048.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\chatmsg256.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\chatmsg512.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\contactgroup256.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\index2.dat - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\profile1024.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\user1024.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\user16384.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\user256.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\user4096.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Application Data\Skype\jacquiermay\voicemail256.dbb - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Local Settings\Temp\adgavuxo.exe - a variant of Win32/Kryptik.EH trojan
C:\Documents and Settings\Jacquie May\Local Settings\Temp\etilqs_2zuQyHMxPAYqvOOt6UMH - error opening (File locked) [4]
C:\Documents and Settings\Jacquie May\Local Settings\Temp\GLB22.tmp »WISE »WISE0132.DLL - archive damaged
C:\Documents and Settings\Jacquie May\Local Settings\Temp\PlugWinamp.exe - a variant of Win32/Kryptik.EN trojan
C:\Documents and Settings\Jacquie May\Local Settings\Temp\TDSSc8a.tmp - a variant of Win32/Kryptik.EN trojan
C:\Documents and Settings\Jacquie May\Local Settings\Temp\TDSSf950.tmp - a variant of Win32/Kryptik.EN trojan
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\LPT_t\Ebplpt.dll - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\LPT_s\ECBTEG.DLL - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\LPTW2K_s\EBPMON2.DLL - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\LPTW2K_s\ebpport.dat - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\LPTNT_s\ebppmon.dll - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\LPT95_s\EBPMON.DLL - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\LPT95_s\ebpport.dat - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\Etc\EBAPI.ini - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\EBAPI16_s\Ebapi162.dll - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\EBAPI16_s\EBAPI2HS.EXE - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\BASE_t\STMSetup.exe - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\BASE_t\STMSetup.ex0 - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\BASE_s\ebapi2.dll - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\EB5ST000.DAT »CAB »\AGENT2_t\SAgent2.exe - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\LPT_t\Ebplpt.dll - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\LPT_s\ECBTEG.DLL - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\LPTW2K_s\EBPMON2.DLL - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\LPTW2K_s\ebpport.dat - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\LPTNT_s\ebppmon.dll - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\LPT95_s\EBPMON.DLL - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\LPT95_s\ebpport.dat - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\Etc\EBAPI.ini - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\EBAPI16_s\Ebapi162.dll - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\EBAPI16_s\EBAPI2HS.EXE - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\BASE_t\STMSetup.exe - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\BASE_t\STMSetup.ex0 - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\BASE_s\ebapi2.dll - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Backup\Windows\system32\spool\drivers\w32 x86\3\EB5ST000.DAT »CAB »\AGENT2_t\SAgent2.exe - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Documents and Settings\Jacquie\Local Settings\Temp\gtbF.tmp.cab »CAB »googlenav.dll - archive damaged - the file could not be extracted.
C:\OLD DATA - From C Drive old HP computer\Documents and Settings\Jacquie\Local Settings\Temporary Internet Files\Content.IE5\6XQD6J2N\GoogleNav[1].cab »CAB »googlenav.dll - archive damaged - the file could not be extracted.
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »Config.ini - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp193.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp194.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp195.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp196.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp197.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp198.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp199.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp200.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp201.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp202.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp203.reg - error - password-protected file
C:\Program Files\RegistryFix\RegistryFixBackup\3,27,2007_12,2 ,26.zip »ZIP »rkBackUp204.reg - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/Factors/CalcFactors.xml - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/ILL Update 1 New HealthRates.txt - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/Rates/EssentialsRateData.xml - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/Rates/GenesisRateData.XML - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/Rates/HealthRateData.XML - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/Rates/IAGRateData.xml - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/Rates/PremiumIndexRateData.XML - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/Rates/RiskRateData.xml - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/Rates/SavingRateData.XML - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »8.8/8.8B/Rates/ULRateData.XML - error - password-protected file
C:\Program Files\Sovereign\Illustrations\8.8\External.zip »ZIP »VersionPath.ini - error - password-protected file
C:\SWSETUP\Money\US\IE\ient_s1.CAB »CAB »IENT_1.CAB »CAB »MSHTML.DLL - next archive volume not found
C:\SWSETUP\Money\US\IE\ie_s1.CAB »CAB »IE_1.CAB »CAB »MSHTML.TLB - next archive volume not found
C:\SWSETUP\MSWorks\US\REDIST\IE6\IENT_S1.CAB »CAB »IENT_1.CAB »CAB »MSHTML.DLL - next archive volume not found
C:\SWSETUP\MSWorks\US\REDIST\IE6\IE_S1.CAB »CAB »IE_1.CAB »CAB »MSHTML.TLB - next archive volume not found
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
C:\System Volume Information\_restore{2D6AFCA6-C76E-4DBB-8D3E-7F57086A04B5}\RP551\A0054941.sys - Win32/Agent.ODG trojan - deleted
C:\WINDOWS\system32\TDSSktkl.dll - Win32/Agent.ODG trojan - deleted
C:\WINDOWS\system32\TDSSlajf.dll - Win32/Agent.OIK trojan - deleted
C:\WINDOWS\system32\TDSSoxum.dll - Win32/Olmarik.AW trojan - deleted
C:\WINDOWS\system32\TDSSurxb.dll - Win32/Agent.OIK trojan - deleted
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
C:\WINDOWS\Temp\exp15D3.tmp »RAR »EXPDATE.TXT - archive damaged
C:\WINDOWS\Temp\exp49.tmp »RAR »EXPDATE.TXT - archive damaged
C:\WINDOWS\Temp\exp84E.tmp »RAR »expdate.txt - archive damaged
C:\WINDOWS\Temp\expC0E.tmp »RAR »expdate.txt - archive damaged
C:\WINDOWS\Temp\expC7E.tmp »RAR »EXPDATE.TXT - archive damaged
C:\WINDOWS\Temp\TDSSb734.tmp - Win32/Agent.ODG trojan - deleted
Number of scanned files: 642932
Number of threats found: 10
Number of files cleaned: 10
Time of completion: 21:02:23 Total scanning time: 4543 sec (01:15:43)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.


This is what I get if I search for something simple like ASB.


Web Images Maps News Groups Gmail more ▼
Books Scholar Blogs
YouTube Calendar Documents Reader Sites
even more »
Sign in
Google

Advanced Search
Preferences

Search: the web pages from New Zealand

Web
Results 1 - 20 of about 11,400,000 for asb. (0.09 seconds)
Search Results
1. ASB Bank New Zealand - Home
ASB Bank provide a wide range of banking services in New Zealand, including credit cards, car loans, home loans, car insurance and online banking.
au.shopping.com - 23k - Cached - Similar pages





2. ASB Bank New Zealand - Personal
ASB Term Fund. Paying over 30% tax? Get higher returns by paying less tax. Foreign exchange. Win $5000 worth of travel for your next big trip. ...
yellow.co.nz/keywordasbbank - 26k - Cached - Similar pages
3. ASB FastNet : Sign On
New Zealand service offering balances, statements, transfers to other ASB accounts, bill payments and automatic payments to ASB Bank customers.
www.loancalculator.net.au - 2k - Cached - Similar pages
4. ASB Community Trust - Home
ASB Community Trust is an independent grant-making organisation supporting the work of not-for-profit groups in Auckland and Northland. ...
freescan.antivirus.com/asb.html - 9k - Cached - Similar pages
5. ASB Classic
What's new. Unseeded Pair ASB Classic 2009 Doubles Champion (January 10, 2009). ASB Classic Champion 2009 Elena Dementieva (January 10, 2009) ...
www.monstermarketplace.com/ - 20k - Cached - Similar pages
6. ASB Securities - Home
At ASB Securities we have all kinds of customers, thousands of them - people like you. Some of them like the freedom of trading online, others like the ...
www.infonation.com.au/cars - 30k - Cached - Similar pages
7. Careers at ASB
The ASB Group of Companies is one of the largest providers of financial and ... To find out more about the companies in the ASB Group, click on one of the ...
infonation.com.au/air-conditioning - 12k - Cached - Similar pages
8. 2009 ASB Polyfest - Home
Home |; Visitors |; Schools Info |; Results 2008 |; Timetable |; Sponsors |; Stallholders |; Media PR |; Venue Map |; Contact Us |; DVD's |; ASB Polyfest ...
www.thetop10.com/ - 6k - Cached - Similar pages
9. ASB Stadium, Kohimarama
ASB Stadium. Location • Events • Sports Clubs • Fitness Gym • Early Childhood Centre • After School / Holiday Club • Tour • About ...
www.askboogo.com - 3k - Cached - Similar pages
10. ASB Securities : Sign On
ASB recommends you change your password every 90 days. ... ASB Securities Limited 2006. ASB Securities Limited is a NZX Primary Market Participant (NZX ...
https://ost.asbbank.co.nz/ - 13k - Cached - Similar pages
11. ASB Nelson Giants
Local basketball team. Includes player biographies, game photographs, match reports and news.
www.giants.co.nz/ - 42k - Cached - Similar pages
12. ASB Showgrounds - New Zealand's Premier Exhibition Centre
ASB Showgrounds - New Zealand's Premier Exhibition Centre ... Copyright 2006 ASB Showgrounds | Design & Hosting By: Pixel Power.
www.asbshowgrounds.co.nz/ - 10k - Cached - Similar pages
13. ASB Group Investments | Kiwisaver
Thanks to our experience and proven track record, the Government has chosen ASB Group Investments as one of the six ‘default’ KiwiSaver providers. ...
www.asb.co.nz/kiwisaver/ - 12k - Cached - Similar pages
14. 3 News > TV Shows > ASB Business
For market updates, insight from people in the know and interviews with global leaders, Michael Wilson presents ASB Business - your morning business show.
www.3news.co.nz/TVShows/ASBBusiness/tabid/866/Default.aspx - 63k - Cached - Similar pages
15. Activists ask Shahar Peer to withdraw from ASB Classic | NATIONAL
7 Jan 2009 ... Anti-Israel activists are asking Shahar Peer to withdraw from the ASB Classic in Auckland, but the Israeli tennis player says politics is ...
tvnz.co.nz/national-news/gaza-conflict-touches-asb-classic-2436094 - 38k - Cached - Similar pages
16. ASB and Westpac cuts mortgage rates further | National Business ...
16 Jan 2009 ... ASB is cutting its fixed mortgage rate for 18 months through to 60 months to 6.95 percent. "With forecasters predicting a global downturn ...
www.nbr.co.nz/article/asb-and-westpac-cuts-mortgage-rates-further-39611 - 25k - Cached - Similar pages
17. QUEENSTOWN INTERNATIONAL JAZZ FESTIVAL
Over 10 days of live jazz music, with more than 100 musicians from all over the world, set in the idyllic resort town of Queenstown, New Zealand, ...
www.asbjazzfest.co.nz/ - 4k - Cached - Similar pages
18. Scoop: ASB wins leading ASFONZ award
ASB Group Investments was the big winner at last night’s 2008 ASFONZ Communications Awards ceremony held in Wellington, winning three of the five awards ...
www.scoop.co.nz/stories/BU0812/S00230.htm - 56k - Cached - Similar pages
19. ASB Theatre Auckland Performing Arts Information, Aotea Centre ...
Auckland Performing Arts information for - ASB Theatre , Aotea Centre, The Edge® , ,
www.viewauckland.co.nz/info_perform_3.html - 33k - Cached - Similar pages
20. Meningitis strikes ASB Classic second seed - New Zealand's source ...
16 Dec 2008 ... New Zealand's source for sport, rugby, cricket & league news on Stuff.co.nz.
www.stuff.co.nz/4794994a1823.html - Similar pages

I’m running that malwarebites software now, I’ll post the results when it is finished.

Jacquie
21-01-2009, 05:45 PM
It found and removed this but the problem is still there

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

21/01/2009 6:37:04 p.m.
mbam-log-2009-01-21 (18-37-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 205847
Time elapsed: 1 hour(s), 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSSqrdn.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSxehr.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

Blam
21-01-2009, 07:00 PM
Doesn't look like there's anything bad, is the problem persisting?

If it is run ComboFix and post a log here, pancake might be able to help

Speedy Gonzales
21-01-2009, 07:25 PM
Tick these then tick fix checked

Close browsers

None of these are nasty. But they dont have to run on startup

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

Are you running some kind of web server ?

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Uninstall all versions of Java its out of date, then update it

Jacquie
21-01-2009, 08:08 PM
I'm not running on a server but somewhere I worked a year or two ago had a server and someone set my computer to connect it but I no longer need it.

Speedy Gonzales
21-01-2009, 08:42 PM
Ok you can tick all of the entries then

Jacquie
21-01-2009, 09:14 PM
Amazing, somethings worked the problem seems to have gone away!!! Getting normal results on the searches which is great.


Can't remove Java though, its gone in add and remove programs but definitely still there in program files and as an icon in control panel. If I try to delete the files directly it won't let me.

Blam
21-01-2009, 09:16 PM
Get JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and run it, it'll do it automatically for you