Inactive Google redirect virus

SystemLook 30.07.11 by jpshortstuff
Log created at 16:55 on 29/12/2011 by Saban
Administrator - Elevation successful

========== filefind ==========

Searching for "i8042prt.sys"
No files found.

-= EOF =-
 
THE SYSTEM IS WORKING GOOD. DO NOT SEE ANY CHANGES.
but it keeps sending me to google.co.uk when I type in google.com and press enter. and when I oped Internet exploer it opens google.lt as a home page most of the time
 
New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
===========================
Please keep in mind that you can use the Edit Feature if you only have a few rods to add. I get email for every reply you make. Will review and finish up on Monday.
 
If you have not done this for ARO following the uninstall, please use Windows explorer to access Computer> Local Drive> Programs> navigate to the ARO folder and do a right click> Delete.
=====================================
Depending on which browser you use, you can reset your homepage and/or search engine. You mention IE, but I also note you have Chrome installed. And there are entries for Firefox homepage and search engine. Search page is set for Chrome browser:
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Do you need help in resetting these? If Yes, please tell me which browser and which version you have set for the default browser.
====================================
It does not appear that you copied all of the script in the codebox to run in Combofix. Please run it again, being careful to copy ALL[/b[ of the text. Follow directions to run the fix using the entries below in the codebox.:
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
KillAll::
File::

Folder::
c:\documents and settings\Saban\Local Settings\Application Data\AskToolbar
c:\program files\Ask.com
c:\program files\ARO 2011
c:\program files\AVG Secure Search
Extra::
File::
Firefox::
Firefox-: - Profile - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
Firefox-: prefs.js- Search.DefaultURL
Firefox-: prefs.js- Searchengine.defaultURL
Firefox-: prefs.js- Startup.Homepage
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"=-
Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Repeating:
Please open Firefox> Tools> Add ons> Extensions> Remove the following:
Ext: Conduit Engine
Ext: BitTorrentBar Community Toolbar
Ext: Support.com Toolbar: (this is another entry from ask.com) -
Click to expand...

Go to Add/Remove Programs and uninstall the following, if found:
Any Ask entries
Bit Torrent Toolbar
Conduit Engine
ARO 2012
When finished, use Windows Explorer to access Computer> Local Drive> Programs> Look for program folder for each of the programs you uninstalled and do a right click> Delete on each.
Click to expand...
 
I rerun combifix. it removed some files, restarted the computer. but I can not find the log at C:
should I do it all over again?
 
Please search for C:\ComboFix.txt If it ran, there will be a log. If you still can't find it, update and run Combofix again.
 
ComboFix 12-01-09.03 - Saban 01/09/2012 17:05:31.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.200 [GMT -5:00]
Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Saban\Desktop\CFScript.txt.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
--------
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-09 to 2012-01-09 )))))))))))))))))))))))))))))))
.
.
2012-01-03 15:07 . 2012-01-03 15:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-12-29 15:35 . 2011-12-29 15:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-28 16:52 . 2011-12-28 16:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-12-28 15:18 . 2011-12-28 15:18 -------- d-----w- C:\HijackThis
2011-12-23 20:35 . 2011-12-23 20:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Sammsoft
2011-12-14 20:15 . 2011-12-14 20:15 -------- d-----w- C:\_OTM
2011-12-12 14:09 . 2011-12-12 14:09 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
2011-11-04 19:20 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2008-04-14 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2008-04-14 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-28_14.24.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-28 17:02 . 2011-12-28 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-15 22:36 . 2011-12-28 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-15 22:36 . 2011-11-08 15:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-12-28 16:57 . 2011-12-28 16:57 22016 c:\windows\Installer\5e31d0.msi
+ 2011-12-28 16:52 . 2011-12-28 16:52 28160 c:\windows\Installer\5e31cb.msi
+ 2011-12-28 16:52 . 2011-12-28 16:52 24064 c:\windows\Installer\5e31c6.msi
+ 2011-06-06 17:55 . 2011-06-06 17:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
+ 2011-12-29 15:35 . 2011-12-29 15:35 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
+ 2011-12-29 15:35 . 2011-12-29 15:35 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2011-12-28 16:52 . 2011-12-28 16:52 2295808 c:\windows\Installer\5e31bd.msi
+ 2011-06-06 17:55 . 2011-06-06 17:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2011-09-05 21:51 . 2011-09-05 21:51 13135872 c:\windows\Installer\5e31be.msp
+ 2011-06-06 17:55 . 2011-06-06 17:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-28 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2012-01-09 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-09 17:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2432)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-09 17:22:41
ComboFix-quarantined-files.txt 2012-01-09 22:22
ComboFix2.txt 2011-12-29 21:44
ComboFix3.txt 2011-12-28 14:55
ComboFix4.txt 2011-12-28 14:30
ComboFix5.txt 2012-01-03 15:04
.
Pre-Run: 12,923,772,928 bytes free
Post-Run: 13,982,945,280 bytes free
.
- - End Of File - - 26EF7B277B46F97982683CE7F714E0BA
 
i got a problem while running combofix. i got a black screen with blue box with white text running again and again. i shut the computer and turned it on again. then rerun combofix and everything went good. i posted the result above
 
My apology- I am just checking my threads and see I missed yours.

Do you still need help?
If yes, are you still getting redirected? Are there any other problems?
 
Hi! yes, i still need help. it keeps redirecting me. especially in google search. and as of today I can not open Google.com at all. it says that internet explorer can not open the webpage. I have tried Internet Explorer, Mozila, Chrome
 
Okay, the message that IE can't open a webpage doesn't usually apply to malware unless possibly you trying to access a site to update the AV or other security.

I'm resetting your homepage and search page in Firefox. See if this helps:

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
Extra::
File::
Firefox::
Firefox-: - Profile- c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
Firefox-: - prefs.js - Search.DefaultURL 
Firefox-: - prefs.js - Starup.Homepage
Clearjavacache::
Driver::
cerc6
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Something is trying to access a port with driver missing. Here are the possibilities:
Missing port driver: i8042prt.sys
Microsoft Windows 2000 and later versions for PS/2-style keyboard and mouse devices.

Some of the features of this driver are:
  • Hardware-dependent, simultaneous operation of a PS/2-style keyboard and mouse device
  • Management of I/O Port and IRQ settings and routines.
  • Plug and Play and power management.
  • Operation of legacy devices.
  • Other interface and interaction components between the operating system and these types of devices.
I had you check the system and there is no file. If you are having a problem in one of the areas above, you can use the CD for the operating system to run the System File Checker to replace it.
=======================
When you uninstalled AVG, did you put one of th temporary AV on the system? I don't see it. But I do see this:
12-02 19:35:54 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

Only the 1 entry: According the it's description: I note that PC Tools Security is on the system and not working. It does not show as an installed program, but it has a Service: This is for the Spyware Doctor antimalware program.

The Service may be found> Start> Run> type in services.msc>enter> Look for PC Tools Security or sdCoreService> Make sure Startup Type is set to Automatic.

File name: pctsSvc.exe: This program has, among other features:
AntiVirus, AntiSpyware, AntiSpam, Firewall and Real-time protection.

There are 2 errors in the Event Viewer indicting this program terminated twice. So either uninstall it or get it running correctly.
================================
Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:
scan-finished.jpg

  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
=============================
Rescan with the Eset Online Scanner.

Both logs in next reply please.
 
ComboFix 12-01-23.02 - Saban 01/23/2012 12:33:43.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.231 [GMT -5:00]
Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Saban\Desktop\CFScript.xt.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_cerc6
.
.
((((((((((((((((((((((((( Files Created from 2011-12-23 to 2012-01-23 )))))))))))))))))))))))))))))))
.
.
2012-01-13 22:50 . 2012-01-13 22:50 -------- d-----r- c:\documents and settings\Saban\Application Data\Brother
2012-01-13 21:29 . 2012-01-13 21:29 -------- d-----w- c:\documents and settings\Saban\Local Settings\Application Data\Scansoft
2012-01-13 21:20 . 2005-01-17 21:10 45056 ----a-w- c:\windows\system32\BRTCPCON.DLL
2012-01-13 21:20 . 2004-08-10 05:42 77824 ----a-w- c:\windows\system32\BRLMW03A.DLL
2012-01-13 21:20 . 2007-08-20 06:34 94208 ----a-w- c:\windows\system32\BRRBTOOL.EXE
2012-01-13 21:20 . 2004-09-24 05:00 24223 ----a-w- c:\windows\system32\BRLM03A.DLL
2012-01-13 21:20 . 2006-12-12 16:28 52224 ----a-w- c:\windows\system32\drivers\BrSerIf.sys
2012-01-13 21:20 . 2006-09-03 14:53 11904 ----a-w- c:\windows\system32\drivers\BrUsbSer.sys
2012-01-13 21:20 . 2008-01-23 22:22 1397248 ----a-w- c:\windows\system32\BrWia07b.dll
2012-01-13 21:20 . 2007-07-16 20:34 45568 ----a-w- c:\windows\system32\BrUsi07b.dll
2012-01-13 21:20 . 2004-10-15 17:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2012-01-13 21:11 . 2007-01-26 21:13 54784 ------w- c:\windows\system32\brinsstr.dll
2012-01-13 21:11 . 2007-01-16 02:54 12288 ------w- c:\windows\system32\BrDctF2S.dll
2012-01-13 21:11 . 2007-01-15 21:09 12288 ------w- c:\windows\system32\BrDctF2L.dll
2012-01-13 21:11 . 2007-01-25 22:16 94208 ------w- c:\windows\system32\BrDctF2.dll
2012-01-13 21:11 . 2006-12-21 16:23 176128 ----a-w- c:\windows\system32\BROSNMP.DLL
2012-01-13 21:10 . 2007-07-25 06:04 126976 ------w- c:\windows\system32\BrfxD05a.dll
2012-01-13 21:10 . 2008-02-01 23:08 102400 ------w- c:\windows\system32\BrMfNt.dll
2012-01-13 21:10 . 2007-11-11 19:31 167936 ------w- c:\windows\system32\NSSearch.dll
2012-01-13 21:10 . 2002-11-26 18:43 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2012-01-13 21:10 . 2012-01-13 21:21 -------- d-----w- c:\program files\Brother
2012-01-13 21:10 . 2007-02-15 18:54 131072 ----a-w- c:\windows\brunin03.dll
2012-01-13 21:10 . 2006-07-07 17:40 73728 ------w- c:\windows\system32\BRCrypt.dll
2012-01-13 21:08 . 2012-01-13 21:08 -------- d-----w- c:\documents and settings\Saban\Application Data\InstallShield
2012-01-13 20:28 . 2012-01-13 20:28 -------- d-----w- c:\program files\Nuance
2012-01-13 20:27 . 2012-01-13 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2012-01-13 20:24 . 2012-01-13 20:24 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2012-01-13 20:24 . 2012-01-13 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2012-01-13 20:24 . 2012-01-13 20:24 -------- d-----w- c:\program files\ScanSoft
2012-01-13 20:22 . 2012-01-13 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2012-01-10 19:40 . 2012-01-10 19:40 -------- d-----w- c:\documents and settings\Saban\Application Data\AskToolbar
2012-01-10 19:22 . 2012-01-10 19:30 -------- d-----w- c:\windows\system32\NtmsData
2012-01-10 19:22 . 2010-04-28 15:49 46592 ----a-w- c:\windows\system32\HPM1210SMs.dll
2012-01-10 19:22 . 2010-04-28 15:49 13824 ----a-w- c:\windows\system32\drivers\HPM1210FAX.sys
2012-01-10 19:22 . 2010-04-28 15:49 81920 ----a-w- c:\windows\system32\mvusbews.dll
2012-01-10 19:22 . 2010-04-28 15:49 17408 ----a-w- c:\windows\system32\drivers\mvusbews.sys
2012-01-10 19:18 . 2010-04-27 22:50 316416 ----a-r- c:\windows\system32\Difxapi.dll
2012-01-10 19:18 . 2010-03-31 17:49 284672 ----a-w- c:\windows\system32\mvhlewsi.dll
2012-01-10 18:42 . 2012-01-10 18:42 -------- d-----w- c:\documents and settings\Saban\Application Data\Avira
2012-01-10 18:40 . 2012-01-12 13:59 -------- d-----w- c:\program files\Ask.com
2012-01-10 18:40 . 2012-01-23 17:25 -------- d-----w- c:\documents and settings\Saban\Local Settings\Application Data\AskToolbar
2012-01-10 18:40 . 2012-01-11 18:43 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-01-10 18:40 . 2011-09-16 04:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-01-10 18:40 . 2011-09-16 04:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-01-10 18:39 . 2012-01-10 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-01-10 18:39 . 2012-01-10 18:39 -------- d-----w- c:\program files\Avira
2012-01-03 15:07 . 2012-01-03 15:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-12-29 15:35 . 2011-12-29 15:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-28 16:52 . 2011-12-28 16:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-12-28 15:18 . 2011-12-28 15:18 -------- d-----w- C:\HijackThis
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-14 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
2011-11-04 19:20 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2008-04-14 12:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2008-04-14 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2008-04-14 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
.
.
 
((((((((((((((((((((((((((((( SnapShot_2011-12-28_14.24.46 )))))))))))))))))))))))))))))))))))))))))
Edit: Lengthy SnapShot entries have been reviewed and deleted by Bobbye.
 
Edit: Lengthy SnapShot entries have been reviewed and deleted by Bobbye

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-05 01:20 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-05 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-05 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-28 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-05 1391272]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [1/10/2012 1:40 PM 36000]
R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/10/2012 1:40 PM 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [1/10/2012 1:40 PM 463824]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe --> c:\windows\system32\HPSIsvc.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
S3 HP1210FAX;HP1210MFP FAX;c:\windows\system32\drivers\HPM1210FAX.sys [1/10/2012 2:22 PM 13824]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [1/10/2012 2:22 PM 17408]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
.
2012-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
.
2012-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2012-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2012-01-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2012-01-05 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HP LaserJet Professional M1130-M1210 MFP Series - c:\program files\HP\HP LaserJet M1210 MFP Series\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-23 12:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(744)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(1296)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
.
**************************************************************************
.
Completion time: 2012-01-23 13:03:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-23 18:03
ComboFix2.txt 2012-01-09 22:22
ComboFix3.txt 2011-12-29 21:44
ComboFix4.txt 2011-12-28 14:55
ComboFix5.txt 2012-01-23 17:29
.
Pre-Run: 11,864,403,968 bytes free
Post-Run: 13,217,267,712 bytes free
.
- - End Of File - - 5B675161D09E9863771E403AFDB1FA36
 
Hello! I have sent you the log in 3 parts since its too long.
I cannot find PC Tools Security or sdCoreService
 
3 weeks ago, you got the AskToolbar and Ask.com on the system. I set up removals for all entries I founds and also instructed you to uninstall all entries in Add/Remove Programs for Ask anything- toolbar, updater, .com
---------------------
Additionally I told you to uninstall all of the following:
Go to Add/Remove Programs and uninstall the following, if found:
Any Ask entries
Bit Torrent Toolbar
Conduit Engine
ARO 2012
Click to expand...
When finished, use Windows Explorer to access Computer> Local Drive> Programs> Look for program folder for each of the programs you uninstalled and do a right click> Delete on each.
---------------------
I also instructed you to remove this Scheduled Tasks: Remove this Scheduled Tasks:
Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

  • Right click on the following Task> Delete.
    c:\windows\Tasks\Scheduled Update for Ask Toolbar (c:\program files\Ask.com\UpdateTask.exe)
Click to expand...

  • Please open Firefox> Tools> Add ons> Extensions> Remove the following:
    Ext: Conduit Engine
    Ext: BitTorrentBar Community Toolbar
    Ext: Support.com Toolbar: (this is another entry from ask.com)     -

    Not there are more Ask entries to be removed in Firefox:: Tools> Options> Extensions and/or plug-ins> Delete ALL of the following.
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
    FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    ---------------------------------
    I instructed you to updated and run Mbam again, making it q Full Scan this time. There was no log.

    You installed Ask.com again on 1/12
    =========================================
    It appears that you have not copied all of the script and run it through Combofix- not once but 3 times
    ========================================
    If you do all of the above, update and run Combofix once more. It will be last time I write script for you to run in Combofix.


    .
 
I ran Malwarebytes yesterday and was sure I have sent you the results. but there is not post. i was probably disturbed by someone.
I rerun it. here is the log

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.23.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Saban :: YELENA [administrator]

1/24/2012 1:56:01 PM
mbam-log-2012-01-24 (13-56-01).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224824
Time elapsed: 1 hour(s), 46 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
As for Ask I did everything you told me except for removing it from Computer> Local Drive> Programs. it says that the programm is used by someone else. I did remove it last time but it was reinstalled when I downloaded Avira.
 
Hey! i found th emalwarebytes log from yesterday
here it is

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.23.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Saban :: YELENA [administrator]

1/23/2012 2:51:40 PM
mbam-log-2012-01-23 (14-51-40).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219335
Time elapsed: 2 hour(s), 11 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\System Volume Information\_restore{987B1B85-12D5-430C-923E-7A4B948FE860}\RP406\A0083724.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

(end)
 
Check all the download screens well for pre-checked toolbars and browser helper objects. The Ask entries are very frequent and the current one even installs an auto-updater! These things are a lot easier to prevent that they are to get rid of!

it was reinstalled when I downloaded Avira.
Click to expand...
Come to think of this, Broni brought this up and has stopped recommending Avira because of it. I think he now has Comodo instead. I'll check on that.

Are there any malware problems remaining- clean Mbam and Eset.?
 
I did not know that Ask entries are that bad. so should I uninstall Avira and download Comodo instead?
by the way, i used Ask instead of Google. at least it did not redirect me all the time :)

Eset is clean. I am not sure about MBAM, but the problem is still there. it looks like it is easier to have someone reinstall Windows
 
Hey! i have a question. I do not have anyone to ask it so I thought you may help me with it. we have Netgear at work and as my boss said he can track websites we are visiting. can he track websites I am visiting on my Iphone if I use Wifi at work?
Thank u in advance :)
 
You must log in or register to reply here.

Similar threads

D
Mini PCs sold on Amazon contained factory-installed spyware
Replies
16
Views
433
Fastturtle
F
midian182
Google's Find My Device will use billions of Android devices to pinpoint lost items
Replies
3
Views
494
p51d007
p51d007
Cal Jeffrey
"Dormant Color" malware infects millions of PCs with malicious Chrome extensions
Replies
3
Views
1K
Hodor
Hodor

Latest posts

Back