Google redirect problem, 6 steps completed, logs attached

Solved
By frustratedinSA
Jul 23, 2010
Topic Status:
Not open for further replies.
  1. Hello Everyone-

    I too have a problem with search queries in google being redirected to other websites. Any help with this matter would be greatly appreciated.

    My logs are attached.

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Download Security Check from HERE, and save it to your Desktop.

    * Double-click SecurityCheck.exe
    * Follow the onscreen instructions inside of the black box.
    * A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    =========================================================================

    Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
  3. frustratedinSA

    frustratedinSA Newcomer, in training Topic Starter

    Broni-

    First of all let me say that I am glad you responded to my post. I have seen some of your work recently on this forum and it seems like you have a good track record.

    Here are the results for Security Check:
    Results of screen317's Security Check version 0.99.4
    Windows XP Service Pack 3
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Norton AntiVirus
    Norton AntiVirus (Symantec Corporation)
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Ad-Aware
    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Out of date Java installed!
    Adobe Flash Player
    Adobe Reader 9.3.3
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    Ad-Aware AAWService.exe
    Ad-Aware AAWTray.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    Unknown. This method cannot test your vulnerability to DNS cache poisoning.

    ``````````End of Log````````````

    ====================================================

    Here are the results from TDSSKiller:
    2010/07/23 16:55:59.0593 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
    2010/07/23 16:55:59.0593 ================================================================================
    2010/07/23 16:55:59.0593 SystemInfo:
    2010/07/23 16:55:59.0593
    2010/07/23 16:55:59.0593 OS Version: 5.1.2600 ServicePack: 3.0
    2010/07/23 16:55:59.0593 Product type: Workstation
    2010/07/23 16:55:59.0593 ComputerName: HOME-9700581374
    2010/07/23 16:55:59.0593 UserName: Danea
    2010/07/23 16:55:59.0593 Windows directory: C:\WINDOWS
    2010/07/23 16:55:59.0593 System windows directory: C:\WINDOWS
    2010/07/23 16:55:59.0593 Processor architecture: Intel x86
    2010/07/23 16:55:59.0593 Number of processors: 1
    2010/07/23 16:55:59.0593 Page size: 0x1000
    2010/07/23 16:55:59.0593 Boot type: Normal boot
    2010/07/23 16:55:59.0593 ================================================================================
    2010/07/23 16:56:00.0156 Initialize success
    2010/07/23 16:56:03.0234 ================================================================================
    2010/07/23 16:56:03.0234 Scan started
    2010/07/23 16:56:03.0234 Mode: Manual;
    2010/07/23 16:56:03.0234 ================================================================================
    2010/07/23 16:56:04.0437 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/07/23 16:56:04.0578 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2010/07/23 16:56:04.0750 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/07/23 16:56:04.0859 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/07/23 16:56:05.0546 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
    2010/07/23 16:56:05.0734 ALCXWDM (647b8e33e1166829889502a3df2a7ba8) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2010/07/23 16:56:06.0078 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/07/23 16:56:06.0406 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/07/23 16:56:06.0421 Scan interrupted by user!
    2010/07/23 16:56:06.0421 Scan interrupted by user!
    2010/07/23 16:56:06.0421 ================================================================================
    2010/07/23 16:56:06.0421 Scan finished
    2010/07/23 16:56:06.0421 ================================================================================
    2010/07/23 16:57:18.0421 Deinitialize success

    ==================================

    Let me know what else I need to do. Thanks!
  4. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Thank you :)

    Now, your TDSSKiller log says: "Scan interrupted by user!"
    What happened?
  5. frustratedinSA

    frustratedinSA Newcomer, in training Topic Starter

    I couldn't figure out the instructions you sent at first for the TDSSKiller but then I ran it again and it gave me the attached results.

    Do I need to run the scan again?
  6. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  7. frustratedinSA

    frustratedinSA Newcomer, in training Topic Starter

    ComboFix completed. Combofix had to restart the computer to run. After it ran and completed the log below, Norton posted a warning that it had dectected Backdoor.Tidserv!inf.

    Here is the Combofix log:
    ComboFix 10-07-24.01 - Danea 07/24/2010 16:41:28.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.157 [GMT -5:00]
    Running from: c:\documents and settings\Danea\Desktop\ComboFix.exe
    AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Thumbs.db

    Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
    .

    2010-07-23 21:17 . 2010-07-23 21:17 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-07-23 14:42 . 2010-07-23 14:42 -------- d-----w- c:\documents and settings\Danea\Application Data\Malwarebytes
    2010-07-23 14:40 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-23 14:40 . 2010-07-23 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-23 14:40 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-23 14:40 . 2010-07-23 14:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-23 13:58 . 2010-07-24 21:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-23 08:26 . 2010-07-23 08:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-07-23 08:22 . 2010-07-23 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-07-23 08:22 . 2010-07-23 08:22 -------- d-----w- c:\program files\Lavasoft
    2010-07-23 08:13 . 2010-07-23 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-07-23 08:13 . 2010-07-23 08:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-23 07:07 . 2010-07-23 07:06 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-02 03:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-07-02 03:41 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2010-07-02 03:41 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-24 02:06 . 2008-10-04 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-23 21:36 . 2006-10-06 22:31 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-23 21:13 . 2010-07-23 21:13 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-07-23 18:52 . 2006-09-21 13:24 -------- d-----w- c:\program files\Symantec
    2010-07-23 08:46 . 2007-01-02 04:05 -------- d-----w- c:\program files\Java
    2010-07-23 07:51 . 2009-11-29 23:42 -------- d-----w- c:\documents and settings\Danea\Application Data\HPAppData
    2010-07-23 07:09 . 2010-07-23 07:09 61440 ----a-w- c:\documents and settings\Danea\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-621fc12f-n\decora-sse.dll
    2010-07-23 07:09 . 2010-07-23 07:09 503808 ----a-w- c:\documents and settings\Danea\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-35c8d4be-n\msvcp71.dll
    2010-07-23 07:09 . 2010-07-23 07:09 499712 ----a-w- c:\documents and settings\Danea\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-35c8d4be-n\jmc.dll
    2010-07-23 07:09 . 2010-07-23 07:09 12800 ----a-w- c:\documents and settings\Danea\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-621fc12f-n\decora-d3d.dll
    2010-07-23 07:09 . 2010-07-23 07:09 348160 ----a-w- c:\documents and settings\Danea\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-35c8d4be-n\msvcr71.dll
    2010-07-23 07:09 . 2007-01-02 04:05 -------- d-----w- c:\program files\Common Files\Java
    2010-07-23 04:59 . 2010-07-23 06:48 170962 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
    2010-07-12 08:56 . 2010-07-23 08:26 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
    2010-07-02 10:56 . 2008-07-01 01:02 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-23 13:50 . 2009-11-28 19:23 -------- d-----w- c:\program files\HP
    2010-05-18 21:36 . 2008-06-04 21:50 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
    2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ICF"="c:\program files\Internet Content Filter\SafeEyes.exe" [2009-07-27 1236712]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-04 282624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
    @="FSFilter Activity Monitor"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
    backup=c:\windows\pss\BlackBerry Desktop Redirector.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Danea^Start Menu^Programs^Startup^GoZone iSync.lnk]
    path=c:\documents and settings\Danea\Start Menu\Programs\Startup\GoZone iSync.lnk
    backup=c:\windows\pss\GoZone iSync.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonCom]
    c:\windows\VdCap03C\BisonCom [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Update]
    c:\program files\OpenDNS U [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    2008-10-17 20:52 51048 ----a-w- c:\program files\Common Files\Symantec Shared\CCAPP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
    2004-12-02 23:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
    2007-03-15 22:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hcontrol]
    2004-05-27 01:44 86016 ----a-r- c:\windows\ATK0100\Hcontrol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2004-05-21 08:50 118784 ----a-w- c:\windows\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 22:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2004-05-21 08:50 155648 ----a-w- c:\windows\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2001-07-09 09:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
    2008-02-07 06:49 718704 ----a-w- c:\program files\Norton AntiVirus\osCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2006-10-04 03:51 282624 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2003-11-01 00:42 32768 ----a-w- c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    2007-04-23 17:43 228088 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-10-09 18:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-05-21 08:46 66048 ----a-w- c:\windows\SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Upromise Tray]
    2009-04-14 22:37 139264 ----a-w- c:\program files\Upromise\UpromiseTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Upromise Update]
    2009-04-13 21:50 96136 ----a-w- c:\program files\Upromise\dca-ua.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\SPSSInc\\SPSS16GP\\spss.com"=
    "c:\\Program Files\\SPSSInc\\SPSS16GP\\spss.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\SPSSInc\\SPSS16GP\\SPSSWinWrapIDE.exe"=
    "c:\\Program Files\\SPSSInc\\SPSS16GP\\ExportToPowerPoint.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/3/2010 2:02 AM 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/3/2010 2:02 AM 259632]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/3/2010 2:02 AM 482432]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 3:55 AM 1352832]
    R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/3/2010 2:02 AM 117640]
    R3 ATKXPDisplayName;ATKXPDisplayName;c:\windows\system32\drivers\ATKACPI.sys [9/19/2006 4:54 PM 5786]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2010 7:00 PM 102448]
    S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090910.003\IDSXpx86.sys [9/12/2009 12:19 PM 276344]
    S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [1/25/2008 8:47 PM 149352]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 9:32 PM 23888]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

    2010-07-24 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    LSP: ICF.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-24 17:22
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(1204)
    c:\windows\system32\ICF.dll
    .
    Completion time: 2010-07-24 17:29:43
    ComboFix-quarantined-files.txt 2010-07-24 22:29

    Pre-Run: 19,068,141,568 bytes free
    Post-Run: 19,147,497,472 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - BB0966E027D1319B14D665D005165884
  8. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Looks good :)

    How is redirection issue?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  9. frustratedinSA

    frustratedinSA Newcomer, in training Topic Starter

    Computer runs approximately 3x as slow as before. Combofix uninstall command line was run and computer was restarted. However the combofix icon is still on the desktop. Google search redirection is not occurring anymore.

    Both the OTL.txt and Extras.Txt logs were too many characters. They are attached.

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Your computer would greatly benefit from adding another 512MB of RAM.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Danea\LOCALS~1\Temp\catchme.sys -- (catchme)
      O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
      O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager]  File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000001 -  File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000002 -  File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000021 -  File not found
      O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Reg Error: Key error.)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2010/07/24 18:37:56 | 000,000,000 | ---D | C] -- C:\ComboFix
      [2010/07/24 16:08:40 | 000,000,000 | ---D | C] -- C:\Qoobox
      [2010/07/23 16:55:18 | 001,170,256 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Danea\Desktop\TDSSKiller.exe
      [7 C:\Documents and Settings\Danea\Desktop\*.tmp files -> C:\Documents and Settings\Danea\Desktop\*.tmp -> ]
      [2010/07/24 16:10:53 | 003,743,885 | R--- | M] () -- C:\Documents and Settings\Danea\Desktop\ComboFix.exe
      @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C895616B
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring" =-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
      "DisableMonitoring" ==
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
  11. frustratedinSA

    frustratedinSA Newcomer, in training Topic Starter

    All processes killed
    ========== OTL ==========
    Service catchme stopped successfully!
    Service catchme deleted successfully!
    File C:\DOCUME~1\Danea\LOCALS~1\Temp\catchme.sys not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Uninstall Adobe Download Manager deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\ deleted successfully.
    Starting removal of ActiveX control {44990301-3C9D-426D-81DF-AAB636FA4345}
    C:\WINDOWS\Downloaded Program Files\tgctlsr.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{44990301-3C9D-426D-81DF-AAB636FA4345}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44990301-3C9D-426D-81DF-AAB636FA4345}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44990301-3C9D-426D-81DF-AAB636FA4345}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44990301-3C9D-426D-81DF-AAB636FA4345}\ not found.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\WINDOWS\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    C:\ComboFix folder moved successfully.
    C:\Qoobox\Quarantine\Registry_backups folder moved successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers folder moved successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32 folder moved successfully.
    C:\Qoobox\Quarantine\C\WINDOWS folder moved successfully.
    C:\Qoobox\Quarantine\C folder moved successfully.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    It doesn't look like a whole log.
  13. frustratedinSA

    frustratedinSA Newcomer, in training Topic Starter

    C:\Qoobox\Quarantine folder moved successfully.
    C:\Qoobox\BackEnv folder moved successfully.
    C:\Qoobox folder moved successfully.
    C:\Documents and Settings\Danea\Desktop\TDSSKiller.exe moved successfully.
    C:\Documents and Settings\Danea\Desktop\~WRL0490.tmp deleted successfully.
    C:\Documents and Settings\Danea\Desktop\~WRL2704.tmp deleted successfully.
    C:\Documents and Settings\Danea\Desktop\~WRL2743.tmp deleted successfully.
    C:\Documents and Settings\Danea\Desktop\~WRL3124.tmp deleted successfully.
    C:\Documents and Settings\Danea\Desktop\~WRL3270.tmp deleted successfully.
    C:\Documents and Settings\Danea\Desktop\~WRL3492.tmp deleted successfully.
    C:\Documents and Settings\Danea\Desktop\~WRL4096.tmp deleted successfully.
    C:\Documents and Settings\Danea\Desktop\ComboFix.exe moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:C895616B deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\"DisableMonitoring" =| /E : value set successfully!
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Danea
    ->Temp folder emptied: 797 bytes
    ->Temporary Internet Files folder emptied: 17880094 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 1731 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56504 bytes

    User: Jonathan
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32969 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 2601 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 43777 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 17.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Danea
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Jonathan
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

    OTL by OldTimer - Version 3.2.9.1 log created on 07242010_201035

    Files\Folders moved on Reboot...
    C:\Documents and Settings\Danea\Local Settings\Temporary Internet Files\Content.IE5\X4XWUVN3\sh21[1].htm moved successfully.
    C:\Documents and Settings\Danea\Local Settings\Temporary Internet Files\Content.IE5\VB14QRXC\topic150522[1].htm moved successfully.
    C:\Documents and Settings\Danea\Local Settings\Temporary Internet Files\Content.IE5\DVXP1L7K\ads[2].htm moved successfully.
    C:\Documents and Settings\Danea\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
    File\Folder C:\WINDOWS\temp\JETC30.tmp not found!
    C:\WINDOWS\temp\Perflib_Perfdata_79c.dat moved successfully.

    Registry entries deleted on Reboot...
  14. frustratedinSA

    frustratedinSA Newcomer, in training Topic Starter

    My apologies. I didn't realize that a part of the log was missing.
  15. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Now you're talking :)

    Last scan....

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
  16. frustratedinSA

    frustratedinSA Newcomer, in training Topic Starter

    Here is the Kaspersky Log.
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, July 25, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, July 25, 2010 02:16:33
    Records in database: 4219737
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 65063
    Threats found: 1
    Infected objects found: 2
    Suspicious objects found: 0
    Scan duration: 04:06:22


    File name / Threat / Threats count
    C:\System Volume Information\_restore{9D0DCE14-4F87-4CBE-96F2-5C430DE2871A}\RP592\A0271225.sys Infected: Rootkit.Win32.TDSS.ap 1
    C:\_OTL\MovedFiles\07242010_201035\C_Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

    Selected area has been scanned.
  17. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ======================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
  18. frustratedinSA

    frustratedinSA Newcomer, in training Topic Starter

    Broni-

    I have completed all of the steps. Thank you very much for your assistance. It is very likely that I would have spent at least $100 to have someone help me out.

    I will be sending any people I know who may have smilar problems in the future to this board and if my computer gets infected again. I will be contacting you.

    Thanks again!!
     
  19. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    You're very welcome and I'm glad to see you and your computer happy :)
    Good luck and stay safe :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.