TechSpot

Web browser redirects to random sites - please help!

Inactive
By atomski
Apr 21, 2011
Topic Status:
Not open for further replies.
  1. When using Internet Explorer and Firefox, my browser has started (today) redirecting to random sites. This happened shortly after a USB stick was connected to my laptop, so I suspect a malware infection.

    I have tried running McAfee On Demand scan and Malwarebyte's Antimalware, but the problem persits. I have followed the 8-step to identifying malware infections, the logs follow at the end of this post.

    I am running Windows XP Version 5.1 Service Pack 3.

    I would greatly appreciate help in resolving this problem.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6407

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    20/04/2011 20:25:38
    mbam-log-2011-04-20 (20-25-38).txt

    Scan type: Quick scan
    Objects scanned: 156895
    Time elapsed: 7 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-04-21 07:42:52
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LB01
    Running: ccjnqwxm.exe; Driver: C:\DOCUME~1\NEILHY~1\LOCALS~1\Temp\kfpcrfog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Neil Hy at 7:55:56.71 on 21/04/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3069.2556 [GMT 1:00]
    .
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k eapsvcs
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k dot3svc
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\Program Files\EPSON\BSTM\PG\E_L20IC2.EXE
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\Downloads\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
    mRun: [Switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [NWTRAY] NWTRAY.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [EPSON PageSTM TrayIcon01] c:\program files\epson\bstm\pg\E_L20IC2.EXE
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\neilhy~1\applic~1\mozilla\firefox\profiles\yg4zx6hy.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\neil hy\application data\mozilla\firefox\profiles\yg4zx6hy.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
    R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
    R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2011-1-9 1737464]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-12 104000]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
    R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [2008-9-15 72448]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-9-12 244368]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-12 72264]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-12 34152]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-12 168776]
    R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2008-4-22 37040]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-23 135664]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-8-3 100736]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-1-9 9216]
    .
    =============== Created Last 30 ================
    .
    2011-04-20 17:13:29 -------- d-sha-r- C:\cmdcons
    2011-04-20 17:10:33 98816 ----a-w- c:\windows\sed.exe
    2011-04-20 17:10:33 89088 ----a-w- c:\windows\MBR.exe
    2011-04-20 17:10:33 256512 ----a-w- c:\windows\PEV.exe
    2011-04-20 17:10:33 161792 ----a-w- c:\windows\SWREG.exe
    2011-04-20 16:01:40 -------- d-----w- c:\docume~1\neilhy~1\applic~1\Malwarebytes
    2011-04-20 16:01:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-20 16:01:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-20 16:01:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-20 16:01:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-20 11:06:41 0 ----a-w- c:\windows\Vyiqo.bin
    2011-04-20 11:06:08 -------- d-----w- c:\docume~1\neilhy~1\applic~1\Wyaw
    2011-04-20 11:06:08 -------- d-----w- c:\docume~1\neilhy~1\applic~1\Ukdy
    2011-04-20 11:04:50 69632 --sha-r- c:\windows\system32\pmsplp.dll
    2011-04-19 11:14:37 -------- d-----w- c:\windows\Yb2Ti2O7
    2011-04-10 17:48:24 -------- d-----w- c:\docume~1\neilhy~1\locals~1\applic~1\Help
    .
    ==================== Find3M ====================
    .
    2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-10 07:49:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-10 07:49:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
    2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    ============= FINISH: 7:56:55.39 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/09/2008 12:15:33
    System Uptime: 21/04/2011 07:47:44 (0 hours ago)
    .
    Motherboard: Sony Corporation | | VAIO
    Processor: Intel Pentium III Xeon processor | N/A | 791/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 182 GiB total, 124.605 GiB free.
    D: is CDROM (UDF)
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 20/04/2011 14:05:14 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    3Connect
    Adobe AIR
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.2.6
    Apple Software Update
    ATOMS60
    Audacity 1.2.6
    Brother HL-5150D
    Chinese Simplified Fonts Support For Adobe Reader 8
    EPSON AcuLaser M2000_M2010 Manual
    EPSON Printer Software
    Epson Universal Laser P6
    EPSON Web-To-Page
    GlobeTrotter Connect
    Google Toolbar for Internet Explorer
    Google Update Helper
    GSAS & EXPGUI
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB981793)
    Huawei modem
    Ifeffit 1.2.11
    Intel PROSet Wireless
    Intel(R) PROSet/Wireless WiFi Software
    J2SE Runtime Environment 5.0 Update 5
    Japanese Fonts Support For Adobe Reader 8
    Java Auto Updater
    Java(TM) 6 Update 22
    Korean Fonts Support For Adobe Reader 8
    Malwarebytes' Anti-Malware
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.6.16)
    NICI (Shared) U.S./Worldwide (128 bit) (2.6.8-2)
    NMAS Challenge Response Method
    NMAS Client
    Novell Client for Windows
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2466156)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2464583)
    Security Update for Microsoft Office Groove 2007 (KB2494047)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Soft Data Fax Modem with SmartCP
    Sony Utilities DLL
    Sony Visual Communication Camera Ver.6.201.220.0
    SRIM
    System Requirements Lab for Intel
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Outlook 2007 Junk Email Filter (KB2522999)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    WIDCOMM Bluetooth Software
    Windows 7 Upgrade Advisor
    Windows Driver Package - Intel (e1yexpress) Net (03/27/2008 9.50.14.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    Wireless Switch Setting Utility
    ZTE_1.2059.0.8
    .
    ==== Event Viewer Messages From Past Week ========
    .
    20/04/2011 20:13:39, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:39, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:39, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:39, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:39, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:39, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:39, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:39, error: Service Control Manager [7034] - The BecHelperService service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:38, error: Service Control Manager [7034] - The Intel® PROSet/Wireless WiFi Service service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:38, error: Service Control Manager [7034] - The EpsonBidirectionalService service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:38, error: Service Control Manager [7034] - The BrSplService service terminated unexpectedly. It has done this 1 time(s).
    20/04/2011 20:13:38, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    20/04/2011 17:57:49, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    20/04/2011 15:46:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    20/04/2011 15:40:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    20/04/2011 15:38:25, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
    20/04/2011 11:53:39, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
    18/04/2011 16:02:17, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    18/04/2011 16:02:17, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    16/04/2011 18:21:53, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    16/04/2011 18:20:27, error: Service Control Manager [7002] - The BrPar service depends on the Parallel arbitrator group and no member of this group started.
    15/04/2011 08:47:28, error: Dhcp [1002] - The IP address lease 82.38.206.254 for the Network Card with network address 001A80D62BD0 has been denied by the DHCP server 143.167.2.2 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help you find and remove the culprit! I note several suspicious entries in these logs, so we should check further:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ========================================
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =====================================
    Note: McAfee sometimes pops up and tells the user that he is using a malware related program. This is usually based on the file extension. The downloads I'm giving you are clean and safe. If you do get the pop up from McAfee, okay to override it. If you cannot, please let me know and I will instruct you furthe.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    NOTE: You should update both of the following. Then uninstall the earlier versions in Add/Remove Programs:
    Java Update
    Adobe Reader Update
  3. atomski

    atomski TS Rookie Topic Starter

    Next step

    Hi Bobbye

    Thanks for your help in this, I have followed your instructions and also updated Java and Adobe Reader. The output logs follow. Please advise on the next step, after review.

    ****

    ESET log

    C:\Qoobox\Quarantine\C\WINDOWS\Mqafua.exe.vir a variant of Win32/Kryptik.MUU trojan
    C:\Qoobox\Quarantine\C\WINDOWS\oxofiyasomizihaw.dll.vir a variant of Win32/Kryptik.MVM trojan
    C:\System Volume Information\_restore{A3F6F97F-42A8-4B51-B6D3-F2DED1A65F14}\RP1\A0000022.exe a variant of Win32/Adware.HotBar.H application

    ****

    ComboFix 11-04-21.01 - Neil 21/04/2011 18:54:09.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3069.2469 [GMT 1:00]
    Running from: c:\documents and settings\Neil \Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-21 17:08 . 2011-04-21 17:08 -------- d-----w- c:\program files\ESET
    2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\documents and settings\Neil \Application Data\Malwarebytes
    2011-04-20 16:01 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-20 16:01 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-20 11:06 . 2011-04-20 11:06 0 ----a-w- c:\windows\Vyiqo.bin
    2011-04-20 11:06 . 2011-04-20 13:01 -------- d-----w- c:\documents and settings\Neil \Application Data\Ukdy
    2011-04-20 11:06 . 2011-04-20 11:32 -------- d-----w- c:\documents and settings\Neil \Application Data\Wyaw
    2011-04-20 11:04 . 2011-04-20 11:04 69632 --sha-r- c:\windows\system32\pmsplp.dll
    2011-04-19 11:14 . 2011-04-19 12:06 -------- d-----w- c:\windows\Yb2Ti2O7
    2011-04-10 17:48 . 2011-04-10 17:48 -------- d-----w- c:\documents and settings\Neil \Local Settings\Application Data\Help
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-07 05:33 . 2008-04-22 15:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2008-04-22 07:17 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2008-04-22 07:17 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06 . 2008-04-22 07:17 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2008-04-22 07:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06 . 2008-04-22 07:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41 . 2008-04-22 07:16 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 13:18 . 2008-04-22 07:16 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2008-04-22 07:17 357888 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2010-07-23 07:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56 . 2008-04-22 07:16 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-10 07:49 . 2011-02-10 07:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-10 07:49 . 2011-02-10 07:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-09 13:53 . 2008-04-22 07:17 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2008-04-22 07:16 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 13:33 . 2008-04-22 07:16 978944 ----a-w- c:\windows\system32\mfc42.dll
    2011-02-08 13:33 . 2008-04-22 07:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2011-02-02 07:58 . 2008-04-22 15:25 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2008-04-22 15:25 677888 ----a-w- c:\windows\system32\mstsc.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-04-20_17.19.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-04-21 08:29 . 2011-04-21 08:29 16384 c:\windows\Temp\Perflib_Perfdata_694.dat
    + 2008-04-22 07:17 . 2011-04-21 08:33 72756 c:\windows\system32\perfc009.dat
    - 2008-04-22 07:17 . 2011-04-20 17:01 72756 c:\windows\system32\perfc009.dat
    + 2008-04-22 07:17 . 2011-04-21 08:33 445238 c:\windows\system32\perfh009.dat
    - 2008-04-22 07:17 . 2011-04-20 17:01 445238 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-23 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-13 503808]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-30 13529088]
    "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-04-30 1347584]
    "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-04-30 1191936]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "NWTRAY"="NWTRAY.EXE" [2006-07-13 28672]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "EPSON PageSTM TrayIcon01"="c:\program files\EPSON\BSTM\PG\E_L20IC2.EXE" [2007-12-11 151552]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-26 274608]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "CompatibleRUPSecurity"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    .
    R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [09/01/2011 11:05 1737464]
    R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [15/09/2008 13:30 72448]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [12/09/2008 15:49 244368]
    R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [22/04/2008 17:24 37040]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/07/2010 09:21 135664]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [03/08/2010 08:19 100736]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [09/01/2011 11:04 9216]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 08:21]
    .
    2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 08:21]
    .
    2011-04-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1947724138-2050635879-2572181111-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    2011-04-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1947724138-2050635879-2572181111-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    FF - ProfilePath - c:\documents and settings\Neil \Application Data\Mozilla\Firefox\Profiles\yg4zx6hy.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-21 18:56
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(988)
    c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
    c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
    c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
    c:\windows\system32\netprovcredman.dll
    .
    - - - - - - - > 'Explorer.exe'(2500)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
    c:\windows\system32\btmmhook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-04-21 18:58:13
    ComboFix-quarantined-files.txt 2011-04-21 17:58
    ComboFix2.txt 2011-04-20 17:49
    ComboFix3.txt 2011-04-20 17:22
    .
    Pre-Run: 133,536,137,216 bytes free
    Post-Run: 133,514,391,552 bytes free
    .
    - - End Of File - - E0BB06DBC9A615CCCEBB9FF1484E1C16
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- internet was down.

    Nothing new in the Eset scan. Qoobox is where Combofix sends the entries it deletes. System Volume is a restore point. We will remove that at end of cleaning. The entry is not active in the system.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\Vyiqo.bin
    c:\windows\system32\pmsplp.dll
    Folder::
    c:\documents and settings\Neil \Application Data\Ukdy
    c:\documents and settings\Neil \Application Data\Wyaw
    c:\windows\Yb2Ti2O7
    Extra::
    File::
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    Firefox::
    Firefox-: - Profile - c:\documents and settings\Neil \Application Data\Mozilla\Firefox\Profiles\yg4zx6hy.default\
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please udate both of the following:
    Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
  5. atomski

    atomski TS Rookie Topic Starter

    Step 2 complete

    Hi Bobbeye

    Ok, instructions carried out as you directed. During the Combofix run, a box opened to say a program "PEV.exe" had closed unexpectdly. I was planning to copy and paste the error message from the box, but Combofix closed it. The random redirect issue has not re-occurred in the last two days.

    Thanks for your help, the latest log follows.

    ComboFix 11-04-21.01 - Neil 25/04/2011 6:58.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3069.2573 [GMT 1:00]
    Running from: c:\documents and settings\Neil \Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Neil \Desktop\CFScript.txt
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    FILE ::
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}"
    "c:\windows\system32\pmsplp.dll"
    "c:\windows\Vyiqo.bin"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\pmsplp.dll
    c:\windows\Vyiqo.bin
    c:\windows\Yb2Ti2O7
    c:\windows\Yb2Ti2O7\Final stats.txt
    c:\windows\Yb2Ti2O7\MSS\Copy (2) of MSS.EXP
    c:\windows\Yb2Ti2O7\MSS\Copy (3) of MSS.EXP
    c:\windows\Yb2Ti2O7\MSS\Copy of MSS.EXP
    c:\windows\Yb2Ti2O7\MSS\MSS.CMT
    c:\windows\Yb2Ti2O7\MSS\MSS.EXP
    c:\windows\Yb2Ti2O7\MSS\MSS.LST
    c:\windows\Yb2Ti2O7\MSS\MSS.O01
    c:\windows\Yb2Ti2O7\MSS\MSS.O02
    c:\windows\Yb2Ti2O7\MSS\MSS.O03
    c:\windows\Yb2Ti2O7\MSS\MSS.O04
    c:\windows\Yb2Ti2O7\MSS\MSS.O05
    c:\windows\Yb2Ti2O7\MSS\MSS.O06
    c:\windows\Yb2Ti2O7\MSS\MSS.O07
    c:\windows\Yb2Ti2O7\MSS\MSS.O08
    c:\windows\Yb2Ti2O7\MSS\MSS.O09
    c:\windows\Yb2Ti2O7\MSS\MSS.O0A
    c:\windows\Yb2Ti2O7\MSS\MSS.O0B
    c:\windows\Yb2Ti2O7\MSS\MSS.O0C
    c:\windows\Yb2Ti2O7\MSS\MSS.O0D
    c:\windows\Yb2Ti2O7\MSS\MSS.O0E
    c:\windows\Yb2Ti2O7\MSS\MSS.O0F
    c:\windows\Yb2Ti2O7\MSS\MSS.O10
    c:\windows\Yb2Ti2O7\MSS\MSS.O11
    c:\windows\Yb2Ti2O7\MSS\MSS.O12
    c:\windows\Yb2Ti2O7\MSS\MSS.O13
    c:\windows\Yb2Ti2O7\MSS\MSS.O14
    c:\windows\Yb2Ti2O7\MSS\MSS.O15
    c:\windows\Yb2Ti2O7\MSS\MSS.O16
    c:\windows\Yb2Ti2O7\MSS\MSS.O17
    c:\windows\Yb2Ti2O7\MSS\MSS.O18
    c:\windows\Yb2Ti2O7\MSS\MSS.O19
    c:\windows\Yb2Ti2O7\MSS\MSS.O1A
    c:\windows\Yb2Ti2O7\MSS\MSS.O1B
    c:\windows\Yb2Ti2O7\MSS\MSS.O1C
    c:\windows\Yb2Ti2O7\MSS\MSS.O1D
    c:\windows\Yb2Ti2O7\MSS\MSS.O1E
    c:\windows\Yb2Ti2O7\MSS\MSS.O1F
    c:\windows\Yb2Ti2O7\MSS\MSS.O20
    c:\windows\Yb2Ti2O7\MSS\MSS.O21
    c:\windows\Yb2Ti2O7\MSS\MSS.O22
    c:\windows\Yb2Ti2O7\MSS\MSS.O23
    c:\windows\Yb2Ti2O7\MSS\MSS.O24
    c:\windows\Yb2Ti2O7\MSS\MSS.O25
    c:\windows\Yb2Ti2O7\MSS\MSS.O26
    c:\windows\Yb2Ti2O7\MSS\MSS.O27
    c:\windows\Yb2Ti2O7\MSS\MSS.O28
    c:\windows\Yb2Ti2O7\MSS\MSS.O29
    c:\windows\Yb2Ti2O7\MSS\MSS.O2A
    c:\windows\Yb2Ti2O7\MSS\MSS.O2B
    c:\windows\Yb2Ti2O7\MSS\MSS.O2C
    c:\windows\Yb2Ti2O7\MSS\MSS.O2D
    c:\windows\Yb2Ti2O7\MSS\MSS.O2E
    c:\windows\Yb2Ti2O7\MSS\MSS.P01
    c:\windows\Yb2Ti2O7\MSS\MSS.R01
    c:\windows\Yb2Ti2O7\MSS\MSS.TBL
    c:\windows\Yb2Ti2O7\MSS\Stoe.prm
    c:\windows\Yb2Ti2O7\MSS\YT_MSSR_2.gsa
    c:\windows\Yb2Ti2O7\SSS\Copy (2) of SSS.EXP
    c:\windows\Yb2Ti2O7\SSS\Copy (3) of SSS.EXP
    c:\windows\Yb2Ti2O7\SSS\Copy of SSS.EXP
    c:\windows\Yb2Ti2O7\SSS\SSS.CMT
    c:\windows\Yb2Ti2O7\SSS\SSS.EXP
    c:\windows\Yb2Ti2O7\SSS\SSS.LST
    c:\windows\Yb2Ti2O7\SSS\SSS.O01
    c:\windows\Yb2Ti2O7\SSS\SSS.O02
    c:\windows\Yb2Ti2O7\SSS\SSS.O03
    c:\windows\Yb2Ti2O7\SSS\SSS.O04
    c:\windows\Yb2Ti2O7\SSS\SSS.O05
    c:\windows\Yb2Ti2O7\SSS\SSS.O06
    c:\windows\Yb2Ti2O7\SSS\SSS.O07
    c:\windows\Yb2Ti2O7\SSS\SSS.O08
    c:\windows\Yb2Ti2O7\SSS\SSS.O09
    c:\windows\Yb2Ti2O7\SSS\SSS.O0A
    c:\windows\Yb2Ti2O7\SSS\SSS.O0B
    c:\windows\Yb2Ti2O7\SSS\SSS.O0C
    c:\windows\Yb2Ti2O7\SSS\SSS.O0D
    c:\windows\Yb2Ti2O7\SSS\SSS.O0E
    c:\windows\Yb2Ti2O7\SSS\SSS.O0F
    c:\windows\Yb2Ti2O7\SSS\SSS.O10
    c:\windows\Yb2Ti2O7\SSS\SSS.O11
    c:\windows\Yb2Ti2O7\SSS\SSS.O12
    c:\windows\Yb2Ti2O7\SSS\SSS.O13
    c:\windows\Yb2Ti2O7\SSS\SSS.O14
    c:\windows\Yb2Ti2O7\SSS\SSS.O15
    c:\windows\Yb2Ti2O7\SSS\SSS.O16
    c:\windows\Yb2Ti2O7\SSS\SSS.O17
    c:\windows\Yb2Ti2O7\SSS\SSS.O18
    c:\windows\Yb2Ti2O7\SSS\SSS.O19
    c:\windows\Yb2Ti2O7\SSS\SSS.O1A
    c:\windows\Yb2Ti2O7\SSS\SSS.O1B
    c:\windows\Yb2Ti2O7\SSS\SSS.O1C
    c:\windows\Yb2Ti2O7\SSS\SSS.P01
    c:\windows\Yb2Ti2O7\SSS\SSS.R01
    c:\windows\Yb2Ti2O7\SSS\SSS.TBL
    c:\windows\Yb2Ti2O7\SSS\SSSU.CMT
    c:\windows\Yb2Ti2O7\SSS\SSSU.EXP
    c:\windows\Yb2Ti2O7\SSS\SSSU.LST
    c:\windows\Yb2Ti2O7\SSS\SSSU.O01
    c:\windows\Yb2Ti2O7\SSS\SSSU.O02
    c:\windows\Yb2Ti2O7\SSS\SSSU.O03
    c:\windows\Yb2Ti2O7\SSS\SSSU.P01
    c:\windows\Yb2Ti2O7\SSS\SSSU.R01
    c:\windows\Yb2Ti2O7\SSS\Stoe.prm
    c:\windows\Yb2Ti2O7\SSS\YT_SSSR_2.gsa
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-24 17:03 . 2011-04-24 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Advanced Chemistry Development
    2011-04-24 17:02 . 2011-04-24 17:03 -------- d-----w- c:\program files\ACDFREE11
    2011-04-24 16:47 . 2011-04-24 16:47 -------- d-----w- c:\documents and settings\Neil \Application Data\ChemAxon
    2011-04-24 16:47 . 2011-04-24 18:15 -------- d-----w- c:\documents and settings\Neil \chemaxon
    2011-04-24 16:43 . 2011-04-24 16:43 -------- d-----w- c:\program files\GreatStellaDEMO
    2011-04-21 17:08 . 2011-04-21 17:08 -------- d-----w- c:\program files\ESET
    2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\documents and settings\Neil \Application Data\Malwarebytes
    2011-04-20 16:01 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-04-20 16:01 . 2011-04-20 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-20 16:01 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-20 11:06 . 2011-04-20 13:01 -------- d-----w- c:\documents and settings\Neil \Application Data\Ukdy
    2011-04-20 11:06 . 2011-04-20 11:32 -------- d-----w- c:\documents and settings\Neil \Application Data\Wyaw
    2011-04-10 17:48 . 2011-04-10 17:48 -------- d-----w- c:\documents and settings\Neil \Local Settings\Application Data\Help
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-07 05:33 . 2008-04-22 15:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2008-04-22 07:17 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2008-04-22 07:17 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06 . 2008-04-22 07:17 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2008-04-22 07:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06 . 2008-04-22 07:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41 . 2008-04-22 07:16 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 13:18 . 2008-04-22 07:16 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2008-04-22 07:17 357888 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2010-07-23 07:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56 . 2008-04-22 07:16 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-09 13:53 . 2008-04-22 07:17 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2008-04-22 07:16 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 13:33 . 2008-04-22 07:16 978944 ----a-w- c:\windows\system32\mfc42.dll
    2011-02-08 13:33 . 2008-04-22 07:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2011-02-02 20:40 . 2011-02-10 07:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 18:19 . 2011-02-10 07:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58 . 2008-04-22 15:25 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2008-04-22 15:25 677888 ----a-w- c:\windows\system32\mstsc.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-04-20_17.19.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-04-25 05:46 . 2011-04-25 05:46 16384 c:\windows\Temp\Perflib_Perfdata_31c.dat
    - 2008-04-22 07:17 . 2011-04-20 17:01 72756 c:\windows\system32\perfc009.dat
    + 2008-04-22 07:17 . 2011-04-25 05:50 72756 c:\windows\system32\perfc009.dat
    + 2010-11-15 20:02 . 2010-11-15 20:02 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\ViewerPS.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\reader_sl.exe
    + 2010-11-15 20:02 . 2010-11-15 20:02 16808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\piaglbreakfinder.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\PDFPrevHndlr.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\eula.exe
    + 2010-11-15 20:02 . 2010-11-15 20:02 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\acrotextextractor.exe
    + 2010-11-15 20:02 . 2010-11-15 20:02 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroRd32Info.exe
    + 2010-11-15 20:02 . 2010-11-15 20:02 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\acroiehelpershim.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroIEHelper.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\Acrofx32.dll
    + 2008-04-22 07:17 . 2011-04-25 05:50 445238 c:\windows\system32\perfh009.dat
    - 2008-04-22 07:17 . 2011-04-20 17:01 445238 c:\windows\system32\perfh009.dat
    + 2011-04-21 18:04 . 2011-02-02 20:40 157472 c:\windows\system32\javaws.exe
    + 2011-04-21 18:04 . 2011-02-02 20:40 145184 c:\windows\system32\javaw.exe
    - 2011-02-10 07:49 . 2011-02-10 07:49 145184 c:\windows\system32\javaw.exe
    + 2011-04-21 18:04 . 2011-02-02 20:40 145184 c:\windows\system32\java.exe
    - 2011-02-10 07:49 . 2011-02-10 07:49 145184 c:\windows\system32\java.exe
    + 2011-04-21 18:04 . 2011-04-21 18:04 180224 c:\windows\Installer\20e7cb9.msi
    + 2010-11-15 20:02 . 2010-11-15 20:02 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\pdfshell.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
    + 2010-11-15 20:02 . 2010-11-15 20:02 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\nppdf32.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\JP2KLib.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AiodLite.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroPDF.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\acrobroker.exe
    + 2010-11-15 20:02 . 2010-11-15 20:02 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\a3dutils.dll
    + 2011-04-21 18:13 . 2011-04-21 18:13 2519552 c:\windows\Installer\20e7fe0.msi
    + 2010-11-15 20:02 . 2010-11-15 20:02 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\rt3d.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\authplay.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AGM.dll
    + 2010-11-15 20:02 . 2010-11-15 20:02 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AdobeCollabSync.exe
    + 2010-11-15 20:02 . 2010-11-15 20:02 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroRd32.exe
    + 2011-01-30 20:52 . 2011-01-30 20:52 12425728 c:\windows\Installer\2108f1.msp
    + 2010-11-15 20:02 . 2010-11-15 20:02 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroRd32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-23 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-13 503808]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-30 13529088]
    "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-04-30 1347584]
    "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-04-30 1191936]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "NWTRAY"="NWTRAY.EXE" [2006-07-13 28672]
    "EPSON PageSTM TrayIcon01"="c:\program files\EPSON\BSTM\PG\E_L20IC2.EXE" [2007-12-11 151552]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-26 274608]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-15 932288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "CompatibleRUPSecurity"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    .
    R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [09/01/2011 11:05 1737464]
    R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [15/09/2008 13:30 72448]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [12/09/2008 15:49 244368]
    R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [22/04/2008 17:24 37040]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/07/2010 09:21 135664]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [03/08/2010 08:19 100736]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [09/01/2011 11:04 9216]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 08:21]
    .
    2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 08:21]
    .
    2011-04-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1947724138-2050635879-2572181111-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    2011-04-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1947724138-2050635879-2572181111-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    FF - ProfilePath - c:\documents and settings\Neil \Application Data\Mozilla\Firefox\Profiles\yg4zx6hy.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-25 07:05
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-04-25 07:07:39
    ComboFix-quarantined-files.txt 2011-04-25 06:07
    ComboFix2.txt 2011-04-21 17:58
    ComboFix3.txt 2011-04-20 17:49
    ComboFix4.txt 2011-04-20 17:22
    .
    Pre-Run: 132,066,652,160 bytes free
    Post-Run: 132,082,331,648 bytes free
    .
    - - End Of File - - B87DD28214D3AD05C725E6B8E2CB960F
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I may have had you remove something you needed!

    I saw this directory to c:\windows\Yb2Ti2O7 and could not find any computer-related identification for it. But now I see these entries:
    2011-04-24 17:03 . 2011-04-24 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Advanced Chemistry Development
    2011-04-24 16:47 . 2011-04-24 16:47 -------- d-----w- c:\documents and settings\Neil \Application Data\ChemAxon
    2011-04-24 16:47 . 2011-04-24 18:15 -------- d-----w- c:\documents and settings\Neil \chemaxon


    Did I inadvertently remove data for the Chemistry? Did you need it? Would you like me to try and restore it? You can see all the files at the beginning of Combofix.
  7. atomski

    atomski TS Rookie Topic Starter

    No problem

    Hi Bobbeye

    I had it backed up, so no problem. Am I now "clean"?
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    We're not quite through yet! I am very glad you had the files backed up! I usually ask if I see a file like that before zapping it! I will be back after dinner to check the new Combofix log.

    How are the redirects? Any other related problems?
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    This time I will ask first: Do you know what either of these are?
    2011-04-20 13:01 c:\documents and settings\Neil \Application Data\Ukdy
    2011-04-20 11:06 .c:\documents and settings\Neil \Application Data\Wyaw

    You need to remove this outdated Java extension from Firefox: v6u22
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

    You do not need to add a separate update to Firefox when updating Java.
    ====================================
    Both of the following need to be updated:
    Java: Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Adobe Reader: Visit this Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
    =====================================
    The flash drive you used when you first notice the problem should be disinfected:
    These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Have the redirects been resolved?
  10. atomski

    atomski TS Rookie Topic Starter

    Next step

    Hi Bobbeye

    I'll run through this in the next couple of days as I will be travelling. No browser redirect issues at present. I'll post the logs at the earliest opportunity.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay- Ill make myself a note to keep the thread open. Post when you can.

    To Bobbye: Member is traveling. Please keep thread open.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.