Being redirecting and getting pop-ups

Solved
By needhelp22
Jul 31, 2010
Topic Status:
Not open for further replies.
  1. I am being redirected using google with Internet explorer. I can sometimes get to the link using the open in new tab option. Also I get pop-ups usually only once or twice (most of the time its a registry cleaner one) until I restart the computer and I get them again.

    I completed the 8 steps the best I could and here are the 3 logs and then I attached the last one.

    Any help is greatly appreciated.



    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4374

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    7/31/2010 11:54:01 AM
    mbam-log-2010-07-31 (11-54-01).txt

    Scan type: Quick scan
    Objects scanned: 132051
    Time elapsed: 6 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-31 12:49:08
    Windows 6.1.7600
    Running: msl9oqr2.exe; Driver: C:\Users\Mark\AppData\Local\Temp\kxldypoc.sys


    ---- System - GMER 1.0.15 ----

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20AF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E203F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E092D8
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E08898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E201DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E206F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20F2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E211A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81E80599 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81EA4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtProtectVirtualMemory 77C85380 5 Bytes JMP 0015000A
    .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtWriteVirtualMemory 77C85F00 5 Bytes JMP 0016000A
    .text C:\Windows\system32\svchost.exe[772] ntdll.dll!KiUserExceptionDispatcher 77C86448 5 Bytes JMP 000C000A
    .text C:\Windows\system32\svchost.exe[772] ole32.dll!CoCreateInstance 775957FC 5 Bytes JMP 0048000A
    .text C:\Windows\Explorer.EXE[1268] ntdll.dll!NtProtectVirtualMemory 77C85380 5 Bytes JMP 0041000A
    .text C:\Windows\Explorer.EXE[1268] ntdll.dll!NtWriteVirtualMemory 77C85F00 5 Bytes JMP 0042000A
    .text C:\Windows\Explorer.EXE[1268] ntdll.dll!KiUserExceptionDispatcher 77C86448 5 Bytes JMP 0040000A

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 848A0EC5

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00271358dba4
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00271358dba4 (not active ControlSet)

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Mark at 12:55:13.10 on Sat 07/31/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1789.899 [GMT -5:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\Hpservice.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Users\Mark\Desktop\dds.scr
    C:\Windows\system32\conhost.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/ig
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-31 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-31 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-31 60936]
    R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-2-26 26168]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-4-23 1831024]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-2 102448]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-5 136176]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-2-17 54632]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-6 1343400]

    =============== Created Last 30 ================

    2010-07-31 16:45:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-31 16:45:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-31 16:45:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-31 15:47:34 0 d-----w- c:\users\mark\appdata\roaming\Avira
    2010-07-31 15:43:18 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-07-31 15:43:17 0 d-----w- c:\programdata\Avira
    2010-07-31 15:43:17 0 d-----w- c:\program files\Avira
    2010-07-27 01:15:51 0 d-----w- c:\program files\AVG
    2010-07-19 13:40:00 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2010-07-15 13:18:47 65536 --sha-w- c:\users\mark\ntuser.dat{abc40c12-9011-11df-9323-00271358dba4}.TM.blf
    2010-07-15 13:18:47 524288 --sha-w- c:\users\mark\ntuser.dat{abc40c12-9011-11df-9323-00271358dba4}.TMContainer00000000000000000002.regtrans-ms
    2010-07-15 13:18:47 524288 --sha-w- c:\users\mark\ntuser.dat{abc40c12-9011-11df-9323-00271358dba4}.TMContainer00000000000000000001.regtrans-ms
    2010-07-15 11:32:38 65536 --sha-w- c:\users\mark\ntuser.dat{c63ebb33-8ffa-11df-aa4b-00271358dba4}.TM.blf
    2010-07-15 11:32:38 524288 --sha-w- c:\users\mark\ntuser.dat{c63ebb33-8ffa-11df-aa4b-00271358dba4}.TMContainer00000000000000000002.regtrans-ms
    2010-07-15 11:32:38 524288 --sha-w- c:\users\mark\ntuser.dat{c63ebb33-8ffa-11df-aa4b-00271358dba4}.TMContainer00000000000000000001.regtrans-ms
    2010-07-15 01:08:34 65536 --sha-w- c:\users\mark\ntuser.dat{74356449-8f38-11df-93f3-00271358dba4}.TM.blf
    2010-07-15 01:08:34 524288 --sha-w- c:\users\mark\ntuser.dat{74356449-8f38-11df-93f3-00271358dba4}.TMContainer00000000000000000002.regtrans-ms
    2010-07-15 01:08:34 524288 --sha-w- c:\users\mark\ntuser.dat{74356449-8f38-11df-93f3-00271358dba4}.TMContainer00000000000000000001.regtrans-ms
    2010-07-13 20:03:52 0 d-----w- c:\users\mark\appdata\roaming\C2432940CB55FA746B182EC9F6F57398
    2010-07-11 11:22:06 26624 ----a-w- c:\users\mark\Babygame.doc
    2010-07-02 14:25:50 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2010-07-02 14:24:43 97096 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2010-07-02 14:24:21 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2010-07-02 14:24:21 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2010-07-02 14:24:21 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-07-02 14:24:01 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
    2010-07-02 14:24:01 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
    2010-07-02 14:24:01 1060864 ----a-w- c:\windows\system32\MFC71.DLL
    2010-07-02 14:23:51 0 d-----w- c:\programdata\Symantec
    2010-07-02 14:23:51 0 d-----w- c:\program files\Symantec
    2010-07-02 14:23:51 0 d-----w- c:\program files\common files\Symantec Shared
    2010-07-02 13:50:59 0 d-----w- c:\programdata\Spybot - Search & Destroy
    2010-07-02 13:50:59 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-02 13:49:35 0 d-----w- c:\users\mark\appdata\roaming\Malwarebytes
    2010-07-02 13:49:27 0 d-----w- c:\programdata\Malwarebytes

    ==================== Find3M ====================

    2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-21 19:14:28 221568 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-05-09 09:14:55 641536 ----a-w- c:\windows\system32\CPFilters.dll
    2010-05-09 09:14:50 417792 ----a-w- c:\windows\system32\msdri.dll
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 12:56:36.94 ===============

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    You're running two AV programs, Norton and Avira. One of them has to go.
    If Norton, make sure to use Norton Removal Tool: http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN
    In that case, make sure to turn Windows firewall on.

    When done....

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    When I double click on Combofix a window with a green bar comes up, after about 10 sec it closes and then nothing else happens. Did I do something wrong?

    Thanks for any help.
  4. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Did you uninstall one of AV programs?

    =======================================================================

    Delete your Combofix file, download fresh one, but this time, rename combofix.exe to broni.exe BEFORE downloading it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Now, run broni.exe
  5. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    Yes I uninstalled Avira.

    I was able to follow all of the steps as you stated. Wasnt sure which logs you wanted to see so I attached all 3.

    Thanks.

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Good :)

    How is redirection?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\program files\AVG
    
    DirLook::
    c:\users\Mark\AppData\Roaming\C2432940CB55FA746B182EC9F6F57398
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  7. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    Everything seems to be working correctly. Here is the log you requested.

    ComboFix 10-08-02.01 - Mark 08/02/2010 19:42:01.2.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1789.1043 [GMT -5:00]
    Running from: c:\users\Mark\Desktop\broni.exe
    Command switches used :: c:\users\Mark\Desktop\CFScript.txt
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\AVG

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
    .

    2010-08-03 00:45 . 2010-08-03 00:45 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-08-03 00:45 . 2010-08-03 00:45 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-08-03 00:40 . 2010-08-03 00:41 -------- d-----w- C:\32788R22FWJFW
    2010-08-02 23:48 . 2010-08-03 00:45 -------- d-----w- c:\users\Mark\AppData\Local\temp
    2010-08-02 21:46 . 2010-08-02 21:46 -------- d-----w- c:\users\Mark\AppData\Local\Microsoft Games
    2010-08-02 19:44 . 2010-08-02 19:44 -------- d-----w- c:\program files\Microsoft Games
    2010-07-31 16:45 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-31 16:45 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-31 16:45 . 2010-07-31 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-29 13:52 . 2010-07-29 13:52 -------- d-----w- c:\program files\Common Files\Java
    2010-07-26 23:41 . 2010-07-27 00:57 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-07-19 20:55 . 2010-07-19 20:55 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2010-07-19 20:55 . 2010-07-19 20:55 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2010-07-19 20:55 . 2010-07-19 20:55 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2010-07-19 20:55 . 2010-07-19 20:55 588096 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2010-07-13 20:03 . 2010-07-13 20:04 -------- d-----w- c:\users\Mark\AppData\Roaming\C2432940CB55FA746B182EC9F6F57398
    2010-07-12 23:13 . 2010-07-12 23:13 -------- d-----w- c:\windows\Sun
    2010-07-10 02:22 . 2010-07-10 02:22 0 ----a-w- c:\windows\nsreg.dat
    2010-07-10 02:22 . 2010-07-10 02:22 -------- d-----w- c:\users\Mark\AppData\Local\Mozilla
    2010-07-09 20:29 . 2010-07-09 20:29 -------- dc----w- c:\users\Mark\AppData\Local\MigWiz

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-29 13:52 . 2010-02-17 17:50 -------- d-----w- c:\program files\Java
    2010-07-29 11:34 . 2010-07-02 13:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-29 11:34 . 2010-07-02 13:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-07-19 13:40 . 2010-07-19 13:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2010-07-15 13:16 . 2010-07-02 14:23 -------- d-----w- c:\program files\Symantec
    2010-07-15 13:16 . 2010-02-17 16:17 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-07-15 13:16 . 2010-07-02 14:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-07-15 13:16 . 2010-02-17 17:52 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-15 13:11 . 2010-07-02 14:23 -------- d-----w- c:\programdata\Symantec
    2010-07-15 13:10 . 2010-07-02 13:49 -------- d-----w- c:\programdata\Malwarebytes
    2010-07-15 13:10 . 2010-02-17 16:17 -------- d-----w- c:\program files\Microsoft
    2010-07-02 14:24 . 2010-07-02 14:24 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2010-07-02 14:24 . 2010-07-02 14:24 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2010-07-02 14:24 . 2010-07-02 14:24 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-07-02 13:49 . 2010-07-02 13:49 -------- d-----w- c:\users\Mark\AppData\Roaming\Malwarebytes
    2010-06-28 18:51 . 2010-02-16 23:01 -------- d-----w- c:\program files\Microsoft.NET
    2010-06-15 02:12 . 2010-02-16 22:59 -------- d-----w- c:\programdata\Microsoft Help
    2010-06-03 00:59 . 2010-07-02 14:25 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2010-05-27 07:24 . 2010-06-13 20:25 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-27 03:49 . 2010-06-13 20:25 293888 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-21 19:14 . 2010-02-16 22:28 221568 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-05-21 05:18 . 2010-06-13 20:27 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-05-09 09:14 . 2010-06-28 02:54 641536 ----a-w- c:\windows\system32\CPFilters.dll
    2010-05-09 09:14 . 2010-06-28 02:54 417792 ----a-w- c:\windows\system32\msdri.dll
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\users\Mark\AppData\Roaming\C2432940CB55FA746B182EC9F6F57398 ----



    ((((((((((((((((((((((((((((( SnapShot@2010-08-02_23.46.25 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2010-02-17 13:56 . 2010-08-02 23:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-02-17 13:56 . 2010-08-03 00:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-02-17 13:56 . 2010-08-02 23:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-02-17 13:56 . 2010-08-03 00:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-02-17 13:56 . 2010-08-02 23:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-02-17 13:56 . 2010-08-03 00:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 02:03 . 2010-08-02 23:54 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat
    - 2009-07-14 02:03 . 2010-08-02 19:45 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-25 115560]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 136176]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-06 1343400]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-02-27 26168]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-17 102448]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 00:56]

    2010-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 00:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-08-02 19:47:31
    ComboFix-quarantined-files.txt 2010-08-03 00:47
    ComboFix2.txt 2010-08-02 23:48

    Pre-Run: 225,937,739,776 bytes free
    Post-Run: 225,878,257,664 bytes free

    - - End Of File - - 64C3DA5E4CE246EBC8C786B58965CA73
  8. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Great :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  9. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    When I click on the uninstal a window pops up that says, windows cannot find 'broni.exe'.
  10. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Oh, I'm sorry. I forgot, we renamed the file.

    Delete Combofix manually....
    Delete Combofix, Qoobox folders,and Combofix.txt file from C:
    Delete broni.exe from your desktop
  11. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    I hope I didnt screw this up. I clicked the quick scan button before I pasted the entry. Then after 1st the scan was complete I pasted the entry in the box and clicked on the quick scan again.

    I had to attach the files because they were too long to post. This is the 2nd OTL.txt and the extras.txt

    Attached Files:

     
  12. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  13. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    When I clicked on the link i said I had version 6 update 20 and should have update 21. Clicked on download, then agree to download, then run. After that an error box shows up and says downloaded file is corrupt.
  14. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Try again. Try different browser.
    Make sure to select "off-line" version.
  15. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    I had to switch to mozilla but I got Java installed and here is the OTL fix scan.

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Mark
    ->Temp folder emptied: 364721 bytes
    ->Temporary Internet Files folder emptied: 28329798 bytes
    ->Java cache emptied: 74843 bytes
    ->FireFox cache emptied: 26068427 bytes
    ->Flash cache emptied: 2822 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3962 bytes
    RecycleBin emptied: 5745767 bytes

    Total Files Cleaned = 58.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Mark
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.9.1 log created on 08022010_222932

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  16. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Good :)

    ...and...
  17. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    Here is the quick scan log.

    Thanks a lot for your help today!

    Attached Files:

    • OTL.Txt
      File size:
      95.1 KB
      Views:
      1
  18. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    You're very welcome :)

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  19. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    Here are the results for the security check scan. I am working on step 2 and 3. I will send you the results of the 3rd step soon.



    Results of screen317's Security Check version 0.99.5
    Windows 7 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Symantec Endpoint Protection
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Adobe Flash Player
    Adobe Reader 9.3.3
    Mozilla Firefox (3.6.8)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    ````````````````````````````````
    DNS Vulnerability Check:


    ``````````End of Log````````````
  20. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Excellent :)
  21. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    Here is the scan report.

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Tuesday, August 3, 2010
    Operating system: Microsoft Professional (build 7600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, August 03, 2010 19:48:01
    Records in database: 4147105
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\

    Scan statistics:
    Objects scanned: 71243
    Threats found: 0
    Infected objects found: 0
    Suspicious objects found: 0
    Scan duration: 01:13:22

    No threats found. Scanned area is clean.

    Selected area has been scanned.
  22. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Wonderful :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =====================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
  23. needhelp22

    needhelp22 Newcomer, in training Topic Starter

    Everything is working great! Thanks a lot for all your help.

    I ran the defrag and then scheduled it to run once a week.

    I have Symantec endpoint, Malwarebytes, and I installed WOT. Do you think I should install an anti-spyware program or anything else? Is there anything else you would recommend?

    Thanks again for you help.
  24. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    You're good to go :)

    Good luck and stay safe :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.