heavystrato
Posts: 56 +0
well it looks like it keeps doing it, so i will have no choise, ****! thanks for your help Broni
Solved I Have the Browswer Redirect Problem
- Thread starter heavystrato
- Start date
- Status
heavystrato
Posts: 56 +0
Hi Broni,
Just wanted to tell you that I was not gona give up that easily and well I think I have succefully Replaced the WINLOGON.exe and EXPLOREE.exe. with the recovery console and my original windows CD.
I also Uploded them to VirusTotal.com. and they both seam to be clean now. Also, I know i should not have done this, but i run combofix again and it didnt find any files infected, judging from what i saw i could be wrong tho.
Now, I dont know if im totatlly clean, so I wanted to ask if you will be willing to help me out analizing another set of LOGS by GMER and DDS. Please let meknow
Just wanted to tell you that I was not gona give up that easily and well I think I have succefully Replaced the WINLOGON.exe and EXPLOREE.exe. with the recovery console and my original windows CD.
I also Uploded them to VirusTotal.com. and they both seam to be clean now. Also, I know i should not have done this, but i run combofix again and it didnt find any files infected, judging from what i saw i could be wrong tho.
Now, I dont know if im totatlly clean, so I wanted to ask if you will be willing to help me out analizing another set of LOGS by GMER and DDS. Please let meknow
heavystrato
Posts: 56 +0
Also, It seams like the redirection problems have gone away... 
but Im still not sure if my computer is totally clean, I hope to hear from you broni!
but Im still not sure if my computer is totally clean, I hope to hear from you broni! heavystrato
Posts: 56 +0
:wave: Hi Bordi,!
thanks for getting back to me.
here is the log
ComboFix 10-08-18.06 - Eduardo 08/20/2010 11:39:29.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2516 [GMT -4:00]
Running from: c:\documents and settings\Eduardo\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.
2010-08-20 14:29 . 2004-08-04 04:56 1032192 ----a-w- c:\windows\explorer.exe
2010-08-20 09:47 . 2004-10-31 11:47 502272 ----a-w- c:\windows\system32\winlogon.exe
2010-08-17 06:00 . 2010-08-17 06:13 -------- d-----w- C:\RECYCLER(2)
2010-08-17 06:00 . 2010-08-17 06:13 -------- d-----w- C:\ComboFix(2)
2010-08-15 14:37 . 2010-08-20 12:59 -------- d-----w- c:\windows\system32\NtmsData
2010-08-15 14:36 . 2010-08-15 14:36 -------- d-----w- c:\documents and settings\Eduardo\Application Data\Avira
2010-08-15 14:33 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-15 14:33 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-15 14:33 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-15 14:33 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\program files\Avira
2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-15 14:27 . 2010-08-15 14:27 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 14:27 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 04:47 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-08-15 04:47 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-08-15 04:47 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-08-15 04:47 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-08-15 04:47 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-20 02:35 . 2009-03-08 16:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-19 17:40 . 2009-04-20 18:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-18 17:52 . 2009-03-08 16:27 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-08-18 15:22 . 2010-08-17 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-08-18 15:22 . 2010-08-17 21:10 -------- d-----w- c:\program files\Security Task Manager
2010-08-18 15:21 . 2010-08-18 05:19 -------- d-----w- c:\documents and settings\Eduardo\Application Data\SafeReturner
2010-08-18 15:21 . 2010-08-18 05:19 -------- d-----w- c:\program files\Safe Returner
2010-08-18 15:21 . 2009-09-16 00:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-18 15:21 . 2009-09-16 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-18 04:49 . 2009-09-15 16:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-15 14:27 . 2009-03-26 22:14 -------- d-----w- c:\program files\Java
2010-08-15 05:46 . 2009-10-26 14:17 -------- d-----w- c:\documents and settings\Eduardo\Application Data\vlc
2010-08-12 10:04 . 2009-03-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-02 23:14 . 2009-03-09 01:20 189000 ----a-w- c:\documents and settings\Eduardo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-28 16:03 . 2010-05-27 23:40 -------- d-----w- c:\program files\Facebook FriendAdder Pro
2010-07-21 12:08 . 2009-03-08 11:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 00:21 . 2010-07-10 23:55 -------- d-----w- c:\program files\Super_DVD_Creator_9.8
2010-06-14 14:30 . 2009-03-08 11:12 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.
------- Sigcheck -------
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2004-10-31 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-01-20 163840]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-01-03 122940]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-21 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2009-08-23 91432]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
c:\documents and settings\Eduardo\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
WinMySQLadmin.lnk - c:\xampp\mysql\bin\winmysqladmin.exe [2007-12-20 936448]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 813584]
Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2010-5-17 888987]
Palo Alto Software Update Manager 9.0.lnk - c:\program files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe [2006-9-5 122880]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^Eduardo^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Eduardo\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-03-21 17:36 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-04-19 21:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 5.00\\Program\\Swift3D.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\IBP 10\\IBP.exe"=
"c:\\Program Files\\Adobe\\Adobe Illustrator CS4\\Support Files\\Contents\\Windows\\Illustrator.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Smith Micro\\Poser 8\\Poser.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\winsim\\ConnectionManager\\MySqlBinary\\5.0.38\\mysql\\mysqld-nt.exe"=
"c:\\Program Files\\winsim\\ConnectionManager\\SimplyConnectionManager.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/15/2010 10:33 AM 135336]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [12/9/2008 7:10 PM 24636]
R2 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [5/29/2009 10:30 PM 24576]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [8/23/2009 1:00 AM 29992]
S3 block_reader;MPR DRV;c:\documents and settings\Eduardo\Desktop\PORTABLESOFTWARE\MPR_1.1.9\Multi_Password_Recovery_1.1.9_Portable\Multi Password Recovery 1.1.9 Portable\block_reader.sys [1/10/2010 11:00 PM 1920]
S3 PD1030VID;Creative WebCam Pro;c:\windows\system32\drivers\p1030vid.sys [10/3/2009 11:31 AM 167673]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S3 Simply Accounting Transaction Manager 2010 - CDN;Simply Accounting Transaction Manager 2010 - CDN;c:\program files\winsim\TransactionManager2010 - CDN\Sage_SA.TransactionManager.exe [12/10/2009 4:00 AM 42280]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-20 11:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{9756-3768}]
"D-Code"="0000000000"
"U-Code"="Demo"
"S-Code"="0000000000"
"C-Code"="4353753922274815"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(752)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-08-20 11:56:56
ComboFix-quarantined-files.txt 2010-08-20 15:56
ComboFix2.txt 2010-08-17 22:08
ComboFix3.txt 2010-08-17 05:46
ComboFix4.txt 2010-08-17 01:26
ComboFix5.txt 2010-08-17 22:20
Pre-Run: 43,197,009,920 bytes free
Post-Run: 43,214,147,584 bytes free
- - End Of File - - 985F35D0B69AB6DA932F2FA7B9AC6784
thanks for getting back to me.
here is the log
ComboFix 10-08-18.06 - Eduardo 08/20/2010 11:39:29.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2516 [GMT -4:00]
Running from: c:\documents and settings\Eduardo\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.
2010-08-20 14:29 . 2004-08-04 04:56 1032192 ----a-w- c:\windows\explorer.exe
2010-08-20 09:47 . 2004-10-31 11:47 502272 ----a-w- c:\windows\system32\winlogon.exe
2010-08-17 06:00 . 2010-08-17 06:13 -------- d-----w- C:\RECYCLER(2)
2010-08-17 06:00 . 2010-08-17 06:13 -------- d-----w- C:\ComboFix(2)
2010-08-15 14:37 . 2010-08-20 12:59 -------- d-----w- c:\windows\system32\NtmsData
2010-08-15 14:36 . 2010-08-15 14:36 -------- d-----w- c:\documents and settings\Eduardo\Application Data\Avira
2010-08-15 14:33 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-15 14:33 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-15 14:33 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-15 14:33 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\program files\Avira
2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-15 14:27 . 2010-08-15 14:27 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 14:27 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 04:47 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-08-15 04:47 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-08-15 04:47 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-08-15 04:47 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-08-15 04:47 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-20 02:35 . 2009-03-08 16:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-19 17:40 . 2009-04-20 18:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-18 17:52 . 2009-03-08 16:27 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-08-18 15:22 . 2010-08-17 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-08-18 15:22 . 2010-08-17 21:10 -------- d-----w- c:\program files\Security Task Manager
2010-08-18 15:21 . 2010-08-18 05:19 -------- d-----w- c:\documents and settings\Eduardo\Application Data\SafeReturner
2010-08-18 15:21 . 2010-08-18 05:19 -------- d-----w- c:\program files\Safe Returner
2010-08-18 15:21 . 2009-09-16 00:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-18 15:21 . 2009-09-16 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-18 04:49 . 2009-09-15 16:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-15 14:27 . 2009-03-26 22:14 -------- d-----w- c:\program files\Java
2010-08-15 05:46 . 2009-10-26 14:17 -------- d-----w- c:\documents and settings\Eduardo\Application Data\vlc
2010-08-12 10:04 . 2009-03-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-02 23:14 . 2009-03-09 01:20 189000 ----a-w- c:\documents and settings\Eduardo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-28 16:03 . 2010-05-27 23:40 -------- d-----w- c:\program files\Facebook FriendAdder Pro
2010-07-21 12:08 . 2009-03-08 11:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 00:21 . 2010-07-10 23:55 -------- d-----w- c:\program files\Super_DVD_Creator_9.8
2010-06-14 14:30 . 2009-03-08 11:12 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.
------- Sigcheck -------
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2004-10-31 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-01-20 163840]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-01-03 122940]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-21 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2009-08-23 91432]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
c:\documents and settings\Eduardo\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
WinMySQLadmin.lnk - c:\xampp\mysql\bin\winmysqladmin.exe [2007-12-20 936448]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 813584]
Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2010-5-17 888987]
Palo Alto Software Update Manager 9.0.lnk - c:\program files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe [2006-9-5 122880]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^Eduardo^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Eduardo\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-03-21 17:36 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-04-19 21:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 5.00\\Program\\Swift3D.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\IBP 10\\IBP.exe"=
"c:\\Program Files\\Adobe\\Adobe Illustrator CS4\\Support Files\\Contents\\Windows\\Illustrator.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Smith Micro\\Poser 8\\Poser.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\winsim\\ConnectionManager\\MySqlBinary\\5.0.38\\mysql\\mysqld-nt.exe"=
"c:\\Program Files\\winsim\\ConnectionManager\\SimplyConnectionManager.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/15/2010 10:33 AM 135336]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [12/9/2008 7:10 PM 24636]
R2 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [5/29/2009 10:30 PM 24576]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [8/23/2009 1:00 AM 29992]
S3 block_reader;MPR DRV;c:\documents and settings\Eduardo\Desktop\PORTABLESOFTWARE\MPR_1.1.9\Multi_Password_Recovery_1.1.9_Portable\Multi Password Recovery 1.1.9 Portable\block_reader.sys [1/10/2010 11:00 PM 1920]
S3 PD1030VID;Creative WebCam Pro;c:\windows\system32\drivers\p1030vid.sys [10/3/2009 11:31 AM 167673]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S3 Simply Accounting Transaction Manager 2010 - CDN;Simply Accounting Transaction Manager 2010 - CDN;c:\program files\winsim\TransactionManager2010 - CDN\Sage_SA.TransactionManager.exe [12/10/2009 4:00 AM 42280]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-20 11:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{9756-3768}]
"D-Code"="0000000000"
"U-Code"="Demo"
"S-Code"="0000000000"
"C-Code"="4353753922274815"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(752)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-08-20 11:56:56
ComboFix-quarantined-files.txt 2010-08-20 15:56
ComboFix2.txt 2010-08-17 22:08
ComboFix3.txt 2010-08-17 05:46
ComboFix4.txt 2010-08-17 01:26
ComboFix5.txt 2010-08-17 22:20
Pre-Run: 43,197,009,920 bytes free
Post-Run: 43,214,147,584 bytes free
- - End Of File - - 985F35D0B69AB6DA932F2FA7B9AC6784
Broni
Posts: 56,041 +516
Looks clean to me
I'm very happy for you
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
======================================================================
Re-run MBAM and post its log (if anything found).
====================================================================
Download OTL to your Desktop.
* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
I'm very happy for you
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
======================================================================
Re-run MBAM and post its log (if anything found).
====================================================================
Download OTL to your Desktop.
* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
heavystrato
Posts: 56 +0
Alright I will run this in a few minutes
heavystrato
Posts: 56 +0
MBAM Didnt find anything! wohooo. now OTL is runing
heavystrato
Posts: 56 +0
Broni,
Here are the 2 OTL logs.. Im crossing fingers
Here are the 2 OTL logs.. Im crossing fingers
Broni
Posts: 56,041 +516
Looks pretty good
Run OTL
======================================================================
Last scans....
1. Download Security Check from HERE, and save it to your Desktop.
2. Download Temp File Cleaner (TFC)
3. Go to Kaspersky website and perform an online antivirus scan.
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
Code::OTL O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present @Alternate Data Stream - 985 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:4w7RPy3UPJGNjn7OfoMQH0q @Alternate Data Stream - 802 bytes -> C:\Program Files\Common Files\System:NBh4Yc4yOkS9Pt2qvVW95Fei @Alternate Data Stream - 797 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:WHcQPLoKikqWKzZtZIJvf @Alternate Data Stream - 794 bytes -> C:\Documents and Settings\Eduardo\Local Settings\Application Data\nqA5texec3k2Jct:Lr57yrgmiEkvlXEPlXH4KqvQ @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\STUDIOFONTS:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\resumesamples:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\OneNote Notebooks:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\My Fonts:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\InkfusionNewBorn:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\FD Trillix:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\DVDVideoSoft:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\DOTTELINESOLUTIOn:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\DIGITAL_MAGAZINE:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\Copy of public_html:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\Complete.Q.and.A.Job.Interview.Book:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\CLEANINGTOOLS:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\My Documents\AdobeStockPhotos:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\Desktop\Roland_jobs:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\Desktop\RapidShare_Managerv1.1_2008:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\Desktop\PORTABLESOFTWARE:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Eduardo\Desktop\dragonball_Z:Roxio EMC Stream @Alternate Data Stream - 226 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F4CA4D70 @Alternate Data Stream - 219 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D282699C @Alternate Data Stream - 189 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:408F95E5 @Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0C1EFF69 :Services :Reg :Files :Commands [purity] [emptytemp] [emptyflash] [Reboot] - Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- You will get a log that shows the results of the fix. Please post it.
======================================================================
Last scans....
1. Download Security Check from HERE, and save it to your Desktop.
- Double-click SecurityCheck.exe
- Follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
2. Download Temp File Cleaner (TFC)
- Double click on TFC.exe to run the program.
- Click on Start button to begin cleaning process.
- TFC will close all running programs, and it may ask you to restart computer.
3. Go to Kaspersky website and perform an online antivirus scan.
- Disable your active antivirus program.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases
- Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
heavystrato
Posts: 56 +0
Thanks Broni, will do this right now
heavystrato
Posts: 56 +0
kaspersky is taking forever to donwload the database I will poste the results by tomorrow morning
I will poste the results by tomorrow morningheavystrato
Posts: 56 +0
Hi Broni,
Sorry it took a while. here are the Kaspersky and Securitycheup logs
Sorry it took a while. here are the Kaspersky and Securitycheup logs
Broni
Posts: 56,041 +516
1. Please, update your Firefox.
2. Empty Outlook Express "Deleted Items" folder. You have a lot of infected files there.
3. You have to be really careful with what you download. You can see clear results from Kaspersky's scan and your computer being infected.
Run OTL
2. Empty Outlook Express "Deleted Items" folder. You have a lot of infected files there.
3. You have to be really careful with what you download. You can see clear results from Kaspersky's scan and your computer being infected.
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
Code::OTL :Services :Reg :Files C:\Documents and Settings\Eduardo\Application Data\SafeReturner\Quarantine\explorer.exe.vir C:\Program Files\SourceTec\Sothink SWF Decompiler\SWFDecompiler.exe K:\back_up\darktools\USB_steeler\USBThief_Modified_by_NEO.rar K:\back_up\illigal\WEBSITESBlack_hat\I-Faker_Desktop_Pro.rar K:\back_up\Inkfusion\illigal\WEBSITESBlack_hat\I-Faker_Desktop_Pro.rar K:\back_up\oldbackup\Desxtop_march\Spyware_Doctor_Latest_6.0.0.386_with_Antivirus_New_Serial.rar K:\back_up\SOFTWARE\MAC\PLUGINS\NIKPLUG_mac\nsD2102PSX\dfine2102psosx\Crack\xf-dfine2.exe K:\back_up\SOFTWARE\PC\Plugins\Nik_Soft_xf\Nik_Soft_xf\niksDfine.rar K:\back_up\SOFTWARE\PC\StealthFriendBomber_-_AIO_-\StealthFriendBomber - AIO -\Facebook\Keygen\Keygen.exe K:\back_up\SOFTWARE\PC\xrumer\DeCaptchaSDK_1.2.rar K:\back_up\SOFTWARE\PC\xrumer.rar K:\back_up\SOFTWARE\PORTABLESOFTWARE\Sothink.SWF.Decompiler\Sothink SWF Decompiler\Sothink SWF Decompiler 5.exe K:\back_up\SOFTWARE\PORTABLESOFTWARE\Sothink.SWF.Decompiler.rar K:\back_up\to order\WEBSITESBlack_hat\I-Faker_Desktop_Pro.rar :Commands [purity] [emptytemp] [emptyflash] [Reboot] - Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- You will get a log that shows the results of the fix. Please post it.
heavystrato
Posts: 56 +0
Here it is broni
Broni
Posts: 56,041 +516
Good
OTL Clean-Up
Clean up with OTL:
* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
====================================================================
Your computer is clean
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.
Turn off System Restore:
- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
2. Restart computer.
3. Turn System Restore on.
4. Make sure, Windows Updates are current.
5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.
8. Run Temporary File Cleaner (TFC) weekly.
9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.
10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.
11. Run defrag at your convenience.
12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
13. Please, let me know, how your computer is doing.
OTL Clean-Up
Clean up with OTL:
* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
====================================================================
Your computer is clean
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.
Turn off System Restore:
- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
2. Restart computer.
3. Turn System Restore on.
4. Make sure, Windows Updates are current.
5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.
8. Run Temporary File Cleaner (TFC) weekly.
9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.
10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.
11. Run defrag at your convenience.
12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
13. Please, let me know, how your computer is doing.
heavystrato
Posts: 56 +0
Great news, Broni
Thank you so much for all your help! I really really appreciate it!
Thank you so much for all your help! I really really appreciate it!
- Status
Similar threads
Latest posts
-
Razer launches $160 Viper V3 Pro gaming mouse with 8,000 Hz polling rate- user478318 replied
-
Ryzen 7 5800X3D vs. Ryzen 7 7800X3D, Ryzen 9 7900X3D and 7950X3D- Lew Zealand replied
-
Microsoft could soon sneak (more) Start menu ads into Windows
- user478318 replied
-
Despite Microsoft's push, Windows 11 and Edge see decreases in user share
- user478318 replied
