TD5 Posted April 24, 2010 ID:238423 Share Posted April 24, 2010 About 10 days ago I started to get constantly redirected on Google search entries. I updated and ran Malwarebytes and several problems were discovered, which I then cleared. The logfile is shown below. That seemed to fix the problem, almost. Now, on occasion, I'll get redirected for the initial page of a Google search result for which all entries on that first page get redirected. I change the Google search item which creates another page of results and its okay, even going back to my original search results page and everything works okay. Then a day or so later I enter a new search and it hits again. I've attached short list of a few addresses that I'm directed to redirect_info.txt, and a couple of "Unable to Connect" to servers that I encountered. Today I updated Malwarebytes and ran a quickscan. that came up with nothing. I also installed updated and ran Avira. and it came up one item related to my bank which I quarantined. both of these files are shown below.I would appreciate help to work through getting rid of the rootkit.--------------------------------------------------Initial MWAM scan-------------------------------------------------Malwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 3930Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187024/19/2010 7:42:45 PMmbam-log-2010-04-19 (19-42-45).txtScan type: Full scan (C:\|G:\|)Objects scanned: 208257Time elapsed: 1 hour(s), 16 minute(s), 38 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.----------------------------------------------2nd MWBM Scan----------------------------------------------Malwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 4029Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187024/23/2010 11:15:23 PMmbam-log-2010-04-23 (23-15-23).txtScan type: Quick scanObjects scanned: 114112Time elapsed: 8 minute(s), 9 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)_________________________ Avira log----------------------------------Avira AntiVir PersonalReport file date: Friday, April 23, 2010 20:48Scanning for 2035268 virus strains and unwanted programs.The program is running as an unrestricted full version.Online services are available:Licensee : Avira AntiVir Personal - FREE AntivirusSerial number : 0000149996-ADJIE-0000001Platform : Windows XPWindows version : (Service Pack 3) [5.1.2600]Boot mode : Normally bootedUsername : SYSTEMComputer name : ACER_PENTVersion information:BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 15:14:42VBASE006.VDF : 7.10.6.83 2048 Bytes 4/15/2010 15:14:42VBASE007.VDF : 7.10.6.84 2048 Bytes 4/15/2010 15:14:42VBASE008.VDF : 7.10.6.85 2048 Bytes 4/15/2010 15:14:42VBASE009.VDF : 7.10.6.86 2048 Bytes 4/15/2010 15:14:42VBASE010.VDF : 7.10.6.87 2048 Bytes 4/15/2010 15:14:44VBASE011.VDF : 7.10.6.88 2048 Bytes 4/15/2010 15:14:44VBASE012.VDF : 7.10.6.89 2048 Bytes 4/15/2010 15:14:44VBASE013.VDF : 7.10.6.90 2048 Bytes 4/15/2010 15:14:44VBASE014.VDF : 7.10.6.123 126464 Bytes 4/19/2010 15:14:45VBASE015.VDF : 7.10.6.152 123392 Bytes 4/21/2010 15:14:45VBASE016.VDF : 7.10.6.178 122880 Bytes 4/22/2010 15:14:46VBASE017.VDF : 7.10.6.179 2048 Bytes 4/22/2010 15:14:46VBASE018.VDF : 7.10.6.180 2048 Bytes 4/22/2010 15:14:46VBASE019.VDF : 7.10.6.181 2048 Bytes 4/22/2010 15:14:46VBASE020.VDF : 7.10.6.182 2048 Bytes 4/22/2010 15:14:46VBASE021.VDF : 7.10.6.183 2048 Bytes 4/22/2010 15:14:47VBASE022.VDF : 7.10.6.184 2048 Bytes 4/22/2010 15:14:47VBASE023.VDF : 7.10.6.185 2048 Bytes 4/22/2010 15:14:47VBASE024.VDF : 7.10.6.186 2048 Bytes 4/22/2010 15:14:47VBASE025.VDF : 7.10.6.187 2048 Bytes 4/22/2010 15:14:47VBASE026.VDF : 7.10.6.188 2048 Bytes 4/22/2010 15:14:47VBASE027.VDF : 7.10.6.189 2048 Bytes 4/22/2010 15:14:48VBASE028.VDF : 7.10.6.190 2048 Bytes 4/22/2010 15:14:48VBASE029.VDF : 7.10.6.191 2048 Bytes 4/22/2010 15:14:48VBASE030.VDF : 7.10.6.192 2048 Bytes 4/22/2010 15:14:48VBASE031.VDF : 7.10.6.196 40960 Bytes 4/23/2010 15:14:48Engineversion : 8.2.1.224 AEVDF.DLL : 8.1.2.0 106868 Bytes 4/23/2010 15:14:56AESCRIPT.DLL : 8.1.3.27 1294714 Bytes 4/23/2010 15:14:55AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 23:38:41AESBX.DLL : 8.1.3.1 254324 Bytes 4/23/2010 15:14:56AERDL.DLL : 8.1.4.6 541043 Bytes 4/23/2010 15:14:54AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 17:34:51AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 16:09:46AEHEUR.DLL : 8.1.1.24 2613623 Bytes 4/23/2010 15:14:53AEHELP.DLL : 8.1.11.3 242039 Bytes 4/1/2010 21:05:25AEGEN.DLL : 8.1.3.7 373106 Bytes 4/23/2010 15:14:50AEEMU.DLL : 8.1.2.0 393588 Bytes 4/23/2010 15:14:50AECORE.DLL : 8.1.13.1 188790 Bytes 4/1/2010 21:05:25AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 15:14:49AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29Configuration settings for the scan:Jobname.............................: Complete system scanConfiguration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avpLogging.............................: lowPrimary action......................: interactiveSecondary action....................: ignoreScan master boot sector.............: onScan boot sector....................: onBoot sectors........................: C:, D:, G:, Process scan........................: onExtended process scan...............: onScan registry.......................: onSearch for rootkits.................: onIntegrity checking of system files..: offScan all files......................: All filesScan archives.......................: onRecursion depth.....................: 20Smart extensions....................: onMacro heuristic.....................: onFile heuristic......................: mediumStart of the scan: Friday, April 23, 2010 20:48Starting search for hidden objects.c:\program files\mozilla firefox\firefox.exec:\Program Files\Mozilla Firefox\firefox.exe [NOTE] The process is not visible.c:\program files\mozilla firefox\firefox.exec:\program files\mozilla firefox\firefox.exec:\program files\mozilla firefox\firefox.exec:\program files\mozilla firefox\firefox.exec:\windows\system32\verclsid.exec:\WINDOWS\system32\verclsid.exe [NOTE] The process is not visible.c:\program files\spybot - search & destroy\spybotsd.exec:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [NOTE] The process is not visible.c:\program files\spybot - search & destroy\spybotsd.exec:\program files\spybot - search & destroy\teatimer.exec:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [NOTE] The process is not visible.c:\program files\spybot - search & destroy\sdupdate.exec:\Program Files\Spybot - Search & Destroy\SDUpdate.exe [NOTE] The process is not visible.c:\program files\spybot - search & destroy\sdupdate.exec:\program files\spybot - search & destroy\sdupdate.exec:\program files\spybot - search & destroy\sdupdate.exec:\program files\windows defender\mpcmdrun.exec:\Program Files\Windows Defender\MpCmdRun.exe [NOTE] The process is not visible.c:\program files\windows defender\mpcmdrun.exeg:\program files\ca\etrust internet security suite\ccupdate\ccupdate.exeg:\Program Files\CA\eTrust Internet Security Suite\ccupdate\ccupdate.exe [NOTE] The process is not visible.c:\program files\acronis\trueimagehome\trueimagemonitor.exec:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [NOTE] The process is not visible.c:\windows\system32\imapi.exec:\WINDOWS\system32\imapi.exe [NOTE] The process is not visible.c:\program files\outlook express\msimn.exec:\Program Files\Outlook Express\msimn.exe [NOTE] The process is not visible.c:\program files\hostsman\hm.exec:\Program Files\HostsMan\hm.exe [NOTE] The process is not visible.c:\program files\hostsman\hm.exec:\program files\hostsman\hm.exec:\program files\hostsman\hm.exec:\program files\hostsman\hm.exec:\program files\hostsman\hm.exec:\windows\hh.exec:\WINDOWS\hh.exe [NOTE] The process is not visible.c:\windows\hh.exec:\windows\hh.exec:\windows\system32\wbem\wmiprvse.exec:\WINDOWS\system32\wbem\wmiprvse.exe [NOTE] The process is not visible.c:\program files\google\common\google updater\googleupdaterservice.exec:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [NOTE] The process is not visible.c:\program files\google\update\googleupdate.exec:\Program Files\Google\Update\GoogleUpdate.exe [NOTE] The process is not visible.c:\program files\google\update\googleupdate.exec:\program files\google\update\googleupdate.exec:\windows\system32\notepad.exec:\WINDOWS\system32\notepad.exe [NOTE] The process is not visible.c:\program files\avira\antivir desktop\avwsc.exec:\Program Files\Avira\AntiVir Desktop\avwsc.exe [NOTE] The process is not visible.c:\program files\avira\antivir desktop\avwsc.exec:\docume~1\tdupre~1\locals~1\temp\7zs15.tmp\hostsman_setup.tmpc:\Documents and Settings\T Duprex\Local Settings\Temp [NOTE] The process is not visible.c:\windows\system32\userinit.exec:\WINDOWS\system32\userinit.exe [NOTE] The process is not visible.c:\windows\system32\dumprep.exec:\WINDOWS\system32\dumprep.exe [NOTE] The process is not visible.c:\windows\system32\wgatray.exec:\WINDOWS\system32\WgaTray.exe [NOTE] The process is not visible.c:\program files\compact wireless-g usb adapter wireless network monitor\wusb54gc.exec:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe [NOTE] The process is not visible.g:\program files\winkey\winkey.exeg:\Program Files\Winkey\WinKey.exe [NOTE] The process is not visible.c:\program files\compact wireless-g usb adapter wireless network monitor\pcarmdrv.exec:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\PCARmDrv.exe [NOTE] The process is not visible.c:\windows\system32\taskmgr.exec:\WINDOWS\system32\taskmgr.exe [NOTE] The process is not visible.c:\windows\system32\taskmgr.exeg:\program files\ca\etrust internet security suite\cawsc.exeg:\Program Files\CA\eTrust Internet Security Suite\cawsc.exe [NOTE] The process is not visible.c:\windows\system32\dwwin.exec:\WINDOWS\system32\dwwin.exe [NOTE] The process is not visible.c:\program files\java\jre6\bin\jqsnotify.exec:\Program Files\Java\jre6\bin\jqsnotify.exe [NOTE] The process is not visible.c:\docume~1\tdupre~1\locals~1\temp\temporary directory 1 for hm_3.2.73_installer.zip\hostsman_setup.exec:\Documents and Settings\T Duprex\Local Settings\Temp [NOTE] The process is not visible.c:\program files\hostsman\uninstall.exec:\Program Files\HostsMan\uninstall.exe [NOTE] The process is not visible.c:\program files\microsoft intellipoint\dpupdchk.exec:\Program Files\Microsoft IntelliPoint\dpupdchk.exe [NOTE] The process is not visible.c:\program files\microsoft intellipoint\ipoint.exec:\Program Files\Microsoft IntelliPoint\ipoint.exe [NOTE] The process is not visible.c:\progra~1\common~1\micros~1\dw\dwtrig20.exec:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [NOTE] The process is not visible.c:\windows\system32\nwiz.exec:\WINDOWS\system32\nwiz.exe [NOTE] The process is not visible.c:\windows\system32\rundll32.exec:\WINDOWS\system32\rundll32.exe [NOTE] The process is not visible.c:\program files\avira\antivir desktop\avgnt.exec:\Program Files\Avira\AntiVir Desktop\avgnt.exe [NOTE] The process is not visible.c:\program files\avira\antivir desktop\avconfig.exec:\Program Files\Avira\AntiVir Desktop\avconfig.exe [NOTE] The process is not visible.The scan of running processes will be startedScan process 'rsmsink.exe' - '31' Module(s) have been scannedScan process 'msdtc.exe' - '42' Module(s) have been scannedScan process 'dllhost.exe' - '63' Module(s) have been scannedScan process 'dllhost.exe' - '47' Module(s) have been scannedScan process 'vssvc.exe' - '50' Module(s) have been scannedScan process 'avscan.exe' - '69' Module(s) have been scannedScan process 'avcenter.exe' - '111' Module(s) have been scannedScan process 'TeaTimer.exe' - '42' Module(s) have been scannedScan process 'WUSB54GC.exe' - '63' Module(s) have been scannedScan process 'igfxsrvc.exe' - '32' Module(s) have been scannedScan process 'ccprovsp.exe' - '24' Module(s) have been scannedScan process 'Explorer.EXE' - '137' Module(s) have been scannedScan process 'svchost.exe' - '36' Module(s) have been scannedScan process 'alg.exe' - '37' Module(s) have been scannedScan process 'PDEngine.exe' - '44' Module(s) have been scannedScan process 'WLService.exe' - '15' Module(s) have been scannedScan process 'TrueImageTryStartService.exe' - '30' Module(s) have been scannedScan process 'svchost.exe' - '41' Module(s) have been scannedScan process 'PDAgent.exe' - '46' Module(s) have been scannedScan process 'mdm.exe' - '24' Module(s) have been scannedScan process 'LockServ.exe' - '47' Module(s) have been scannedScan process 'LSSrvc.exe' - '19' Module(s) have been scannedScan process 'GoogleUpdate.exe' - '37' Module(s) have been scannedScan process 'jqs.exe' - '37' Module(s) have been scannedScan process 'ccschedulersvc.exe' - '36' Module(s) have been scannedScan process 'isafe.exe' - '42' Module(s) have been scannedScan process 'mDNSResponder.exe' - '37' Module(s) have been scannedScan process 'avshadow.exe' - '28' Module(s) have been scannedScan process 'awServ.exe' - '105' Module(s) have been scannedScan process 'AppleMobileDeviceService.exe' - '37' Module(s) have been scannedScan process 'avguard.exe' - '57' Module(s) have been scannedScan process 'schedul2.exe' - '23' Module(s) have been scannedScan process 'MemCheck.exe' - '45' Module(s) have been scannedScan process 'a2service.exe' - '30' Module(s) have been scannedScan process 'svchost.exe' - '36' Module(s) have been scannedScan process 'sched.exe' - '48' Module(s) have been scannedScan process 'UmxAgent.exe' - '45' Module(s) have been scannedScan process 'UmxPol.exe' - '25' Module(s) have been scannedScan process 'UmxCfg.exe' - '38' Module(s) have been scannedScan process 'rundll32.exe' - '50' Module(s) have been scannedScan process 'spoolsv.exe' - '72' Module(s) have been scannedScan process 'svchost.exe' - '48' Module(s) have been scannedScan process 'svchost.exe' - '168' Module(s) have been scannedScan process 'MsMpEng.exe' - '44' Module(s) have been scannedScan process 'svchost.exe' - '44' Module(s) have been scannedScan process 'svchost.exe' - '56' Module(s) have been scannedScan process 'lsass.exe' - '61' Module(s) have been scannedScan process 'services.exe' - '39' Module(s) have been scannedScan process 'winlogon.exe' - '87' Module(s) have been scannedScan process 'csrss.exe' - '14' Module(s) have been scannedScan process 'smss.exe' - '2' Module(s) have been scannedStarting master boot sector scan:Master boot sector HD0 [iNFO] No virus was found!Master boot sector HD1 [iNFO] No virus was found!Master boot sector HD2 [iNFO] No virus was found!Start scanning boot sectors:Boot sector 'C:\' [iNFO] No virus was found!Boot sector 'D:\' [iNFO] No virus was found!Boot sector 'G:\' [iNFO] No virus was found!Starting to scan executable files (registry).The registry was scanned ( '474' files ).Starting the file scan:Begin scan in 'C:\' <Operatiing System>C:\Documents and Settings\T Duprex\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\Bank of America.dbx [DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virusBegin scan in 'D:\' <SCRATCH>Begin scan in 'G:\' <APPLICATIONS>Beginning disinfection:C:\Documents and Settings\T Duprex\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\Bank of America.dbx [DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus [NOTE] The file was moved to the quarantine directory under the name '4f44fc00.qua'.End of the scan: Friday, April 23, 2010 22:32Used time: 1:00:43 Hour(s)The scan has been done completely. 9015 Scanned directories 362777 Files were scanned 1 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 1 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 362776 Files not concerned 7776 Archives were scanned 0 Warnings 1 Notes 466793 Objects were scanned with rootkit scan 57 Hidden objects were foundinitial_mbam_log_2010_04_19__19_42_45_.txt Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 24, 2010 Staff ID:238436 Share Posted April 24, 2010 Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.1.Please do not run any other tool untill instructed to do so!2.Please reply to this thread, do not start another!3.Please tell me about any problems that have occurred during the fix.4.Please tell me of any other symptoms you may be having as these can help also.5.Please try as much as possible not to run anything while executing a fix.If you follow these instructions, everything should go smoothly.I would like to get a better look at your system, please do the following so I can get some more detailed logs.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OKDeFogger may ask you to reboot the machine, if it does - click OKDo not re-enable these drivers until otherwise instructed.IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.Download DDS:Please download DDS by sUBs from one of the links below and save it to your desktop:Download DDS and save it to your desktopLink1Link2Link3Please disable any anti-malware program that will block scripts from running before running DDS.Double-Click on dds.scr and a command window will appear. This is normal.Shortly after two logs will appear: DDS.txt Attach.txt[*]A window will open instructing you save & post the logs[*]Save the logs to a convenient place such as your desktop[*]Copy the contents of both logs & post in your next replyGmerDownload GMER Rootkit Scanner from here.Double click the .exe file. If asked to allow gmer.sys driver to load, please consentIf it gives you a warning about rootkit activity and asks if you want to run scan...click on NOIn the right panel, you will see several boxes that have been checked. Uncheck the following ...IAT/EATDrives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one)[*]Then click the Scan button & wait for it to finish[*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file[*]Save it where you can easily find it, such as your desktop, and post it in reply**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entriesNote: Do not run any programs while Gmer is running.information and logs:In your next post I need the following1.logs from DDS2.log from GMER3.let me know of any problems you may have hadGringo Link to post Share on other sites More sharing options...
TD5 Posted April 24, 2010 Author ID:238698 Share Posted April 24, 2010 Gringo:As instructed I have obtained the DDS.txt, Attach.txt, and Gmer,txt files.Problem encountered:I had a problem with Gmer, in that when it finished the first time, when I clicked on SAVE and then typed Gmer.txt, then save the system locked up. I manually powered the system down to recover and consequently lost the Gmer log. This was almost four hours of scan I had to redo (I have over 200,000 files on my C drive). The second time through when Gmer finished, the address line went blank and the Save, and Copy buttons never came on, only the Scan button was indicating that it was selectable. I went ahead and clicked on copy based on what happened the first time and was successful in getting it on the clipboard and a file.Thanks for helping me. Tom D.DDS.TXT file:DDS (Ver_10-03-17.01) - NTFSx86 Run by T Duprex at 6:09:53.04 on Sat 04/24/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1304 [GMT -4:00]AV: CA Anti-Virus Plus *On-access scanning disabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exeC:\Program Files\Avira\AntiVir Desktop\sched.exesvchost.exeC:\Program Files\a-squared Free\a2service.exeC:\Acer\Empowering Technology\ePerformance\MemCheck.exeC:\Program Files\Common Files\Acronis\Schedule2\schedul2.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Acer\LANScope Agent\awServ.exeC:\Program Files\Avira\AntiVir Desktop\avshadow.exeC:\Program Files\Bonjour\mDNSResponder.exeG:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus Plus\isafe.exeG:\Program Files\CA\eTrust Internet Security Suite\ccschedulersvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Google\Update\GoogleUpdate.exec:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Acer\Empowering Technology\eLock\LockServ.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Raxco\PerfectDisk\PDAgent.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeC:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exeC:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exeC:\Program Files\Raxco\PerfectDisk\PDEngine.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\rundll32.exeG:\Program Files\Winkey\WinKey.exeC:\Program Files\Microsoft IntelliPoint\dpupdchk.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\T Duprex\Desktop\Defogger.exeC:\Program Files\Brownie\brstswnd.exeC:\Program Files\Brownie\Brnipmon.exeG:\Program Files\CA\eTrust Internet Security Suite\casc.exeG:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exeC:\WINDOWS\system32\wscntfy.exeC:\Documents and Settings\T Duprex\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = about:blankuSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/uInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/search/?q=%smSearchAssistant = hxxp://www.google.com/ieuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: AutorunsDisabled - No FileBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No FileBHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dllTB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No FileTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No FileuRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exemRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hidemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"mRun: [nwiz] nwiz.exe /installmRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /mindRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -tStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winkey.lnk - g:\program files\winkey\WinKey.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exeuPolicies-explorer: NoActiveDesktop = 00000000IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - g:\progra~1\micros~1\office10\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~1\office11\REFIEBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllLSP: c:\windows\system32\VetRedir.dllDPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cabDPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cabDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222599322578DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cabDPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cabNotify: !SASWinLogon - g:\program files\superantispyware\SASWINLO.dllNotify: igfxcui - igfxdev.dllNotify: PFW - UmxWnp.DllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dllSEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No FileSecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,LSA: Authentication Packages = msv1_0 relog_apHosts: 127.0.0.1 www.spywareinfo.com================= FIREFOX ===================FF - ProfilePath - c:\docume~1\tdupre~1\applic~1\mozilla\firefox\profiles\38bduv9u.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dllFF - plugin: c:\program files\google\google updater\2.4.1739.5352\npCIDetect13.dllFF - plugin: c:\program files\google\picasa3\npPicasa3.dllFF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dllFF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}---- FIREFOX POLICIES ----FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);============= SERVICES / DRIVERS ===============R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2009-12-23 132088]R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-6-8 108024]R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-23 11608]R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-12-23 78840]R1 SASDIFSV;SASDIFSV;g:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]R1 SASKUTIL;SASKUTIL;g:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-4-21 1872320]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-23 135336]R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-23 267432]R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-23 60936]R2 AWService;AdminWorks Agent X6;c:\acer\lanscope agent\awServ.exe [2006-4-21 67072]R2 CAISafe;CAISafe;g:\program files\ca\etrust internet security suite\ca anti-virus plus\isafe.exe [2010-4-19 212992]R2 ccSchedulerSVC;CA Common Scheduler Service;g:\program files\ca\etrust internet security suite\ccschedulersvc.exe [2010-4-19 206160]R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-12-7 17536]R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-12-7 90112]R2 LockServ;LockServ;c:\acer\empowering technology\elock\lockserv.exe -p --> c:\acer\empowering technology\elock\LockServ.exe -p [?]R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2009-7-13 760664]R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2009-7-27 227832]R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-9-30 239608]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\empowering technology\eacoustics\oddspeedctl\speedcontrol.exe [2006-12-7 81920]S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2007-8-6 39048]S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]S3 SASENUM;SASENUM;g:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-9-20 11520]============== File Associations ===============regfile=regedit.exe "%1" %*scrfile="%1" %*=============== Created Last 30 ================2010-04-24 10:01:36 0 ----a-w- c:\documents and settings\t duprex\defogger_reenable2010-04-24 00:48:13 0 d-----w- c:\docume~1\tdupre~1\applic~1\Avira2010-04-23 23:51:48 0 d-----w- c:\program files\HostsMan2010-04-23 15:13:32 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys2010-04-23 15:13:30 0 d-----w- c:\program files\Avira2010-04-23 15:13:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira2010-04-22 10:47:04 89360 ----a-w- c:\windows\system32\VB5DB.DLL2010-04-21 14:23:19 0 d-----w- c:\program files\a-squared Free2010-04-21 11:03:42 0 d-----w- c:\program files\Spybot - Search & Destroy2010-04-21 11:03:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy2010-04-20 02:22:11 0 d-----w- c:\docume~1\alluse~1\applic~1\PCPitstop2010-04-20 02:19:03 0 d-----w- c:\program files\CA2010-04-20 02:18:56 95472 ----a-w- c:\windows\system32\Vetredir.dll2010-04-20 02:18:56 201968 ----a-w- c:\windows\system32\Isafprod.dll2010-04-20 02:18:56 128240 ----a-w- c:\windows\system32\Isafeif.dll2010-04-20 00:02:17 4194372 ----a-w- c:\windows\pfirewall.log.old2010-04-19 11:26:20 0 d-----w- c:\program files\Bonjour Print Services2010-04-19 11:26:04 0 d-----w- c:\program files\Bonjour2010-04-19 11:12:17 3584 ----a-w- c:\windows\VIEWS.DAT2010-04-15 23:55:27 75776 --sha-r- c:\windows\system32\ir41_32O.dll2010-04-02 09:53:24 0 d-----w- C:\7d8f10c5cf454becdd1afedc6a37==================== Find3M ====================2010-04-19 10:21:31 67960 ----a-w- c:\docume~1\tdupre~1\applic~1\GDIPFONTCACHEV1.DAT2010-04-15 23:56:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys2010-04-04 21:12:27 411368 ----a-w- c:\windows\system32\deploytk.dll2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys2010-03-25 00:14:00 91424 ----a-w- c:\windows\system32\dnssd.dll2010-03-25 00:14:00 197920 ----a-w- c:\windows\system32\dnssdX.dll2010-03-25 00:14:00 107808 ----a-w- c:\windows\system32\dns-sd.exe2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe2010-02-24 13:11:07 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll2006-12-25 04:34:36 5 --sha-w- c:\windows\system32\dedea9_g.dll2008-08-05 06:02:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat============= FINISH: 6:10:24.95 ===============ATTACH.TXT file:UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH ITDDS (Ver_10-03-17.01)Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume2Install Date: 12/7/2006 10:31:30 AMSystem Uptime: 4/24/2010 5:26:49 AM (1 hours ago)Motherboard: Acer | | E946GZ Processor: Intel® Pentium® D CPU 3.00GHz | Socket 775 | 2400/200mhz==== Disk Partitions =========================C: is FIXED (NTFS) - 137 GiB total, 112.901 GiB free.D: is FIXED (NTFS) - 12 GiB total, 11.59 GiB free.E: is CDROM ()F: is CDROM ()G: is FIXED (NTFS) - 112 GiB total, 93.66 GiB free.H: is Removable==== Disabled Device Manager Items ================= System Restore Points ===================RP2: 4/16/2010 8:26:28 AM - Software Distribution Service 3.0RP3: 4/18/2010 8:27:29 PM - System CheckpointRP4: 4/18/2010 10:14:48 PM - Removed QuickTimeRP5: 4/18/2010 10:33:06 PM - ZJH.exe renamedRP6: 4/19/2010 7:26:15 AM - Installed Bonjour Print ServicesRP7: 4/19/2010 10:40:56 AM - Software Distribution Service 3.0RP8: 4/19/2010 12:09:04 PM - Windows Defender CheckpointRP9: 4/19/2010 7:31:32 PM - Removed PayPal Plug-InRP10: 4/19/2010 10:17:45 PM - CA Internet Security SuiteRP11: 4/19/2010 10:36:47 PM - CA Internet Security SuiteRP12: 4/20/2010 12:08:30 AM - malware cleaned upRP13: 4/20/2010 8:26:32 AM - Software Distribution Service 3.0RP14: 4/20/2010 12:00:23 PM - 4-20-10 after all clean ups and individual images for C and G drivesRP15: 4/21/2010 6:39:06 AM - Malware aborting after 44000 entriesRP16: 4/22/2010 6:46:59 AM - Installed Ainsworth Keypad Trainer (Evaluation Copy)RP17: 4/22/2010 6:53:27 AM - Removed Ainsworth Keypad Trainer (Evaluation Copy)RP18: 4/22/2010 7:10:56 AM - Routine looks like redirects are goneRP19: 4/23/2010 3:38:25 AM - Software Distribution Service 3.0==== Installed Programs ======================a-squared Free 4.5ABC Amber Audio ConverterAcer eAcoustics ManagementAcer eDataSecurity ManagementAcer eDataSecurity Management 2.0.3077Acer eLock ManagementAcer Empowering TechnologyAcer ePerformance ManagementAcer eSettings ManagementAcer LANScope AgentAcer WLAN 11g USB DongleAcronis Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 25, 2010 Staff ID:238890 Share Posted April 25, 2010 Greetings TD5:multiple Anti Virus programs: It looks like you are operating your computer with multiple Anti Virus programs running in memory at once: AV: CA Anti-Virus Plus AV: AntiVir DesktopAnti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you. Please include the report in your next post:C:\ComboFix.txt"information and logs"In your next post I need the followingLog from Combofixlet me know of any problems you may have hadHow is the computer doing now?Gringo Link to post Share on other sites More sharing options...
TD5 Posted April 26, 2010 Author ID:239427 Share Posted April 26, 2010 Gringo:As requested: Combofix Log.Problem? When I ran combofix the first time. The program ran all 50 stages and was preparing log file, got the the "Almost Done" and the system rebooted. I ran Combofix again it went off uneventfully.=================================================ComboFix 10-04-21.01 - T Duprex 04/26/2010 7:16.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1530 [GMT -4:00]Running from: c:\documents and settings\T Duprex\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..---- Previous Run -------.c:\windows\system32\_000006_.tmp.dllc:\windows\system32\_000007_.tmp.dllc:\windows\system32\_000008_.tmp.dllc:\windows\system32\_000011_.tmp.dllc:\windows\system32\_000012_.tmp.dllc:\windows\system32\drivers\snetcfg.exe.((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 ))))))))))))))))))))))))))))))).2010-04-24 00:48 . 2010-04-24 00:48 -------- d-----w- c:\documents and settings\T Duprex\Application Data\Avira2010-04-23 23:51 . 2010-04-23 23:51 -------- d-----w- c:\program files\HostsMan2010-04-23 15:13 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys2010-04-23 15:13 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys2010-04-23 15:13 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2010-04-23 15:13 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2010-04-23 15:13 . 2010-04-23 15:13 -------- d-----w- c:\program files\Avira2010-04-23 15:13 . 2010-04-23 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2010-04-22 10:47 . 2004-11-28 12:44 89360 ----a-w- c:\windows\system32\VB5DB.DLL2010-04-21 14:23 . 2010-04-21 15:55 -------- d-----w- c:\program files\a-squared Free2010-04-21 11:03 . 2010-04-25 12:19 -------- d-----w- c:\program files\Spybot - Search & Destroy2010-04-21 11:03 . 2010-04-25 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2010-04-20 02:22 . 2010-04-20 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop2010-04-20 02:19 . 2010-04-20 11:32 -------- d-----w- c:\program files\CA2010-04-20 02:18 . 2009-11-20 21:19 201968 ----a-w- c:\windows\system32\Isafprod.dll2010-04-20 02:18 . 2009-11-20 21:18 95472 ----a-w- c:\windows\system32\Vetredir.dll2010-04-20 02:18 . 2009-11-20 21:18 128240 ----a-w- c:\windows\system32\Isafeif.dll2010-04-19 22:24 . 2010-04-19 22:24 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2010-04-19 22:23 . 2010-04-20 00:01 52224 ----a-w- c:\documents and settings\T Duprex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll2010-04-19 22:22 . 2010-04-20 00:01 117760 ----a-w- c:\documents and settings\T Duprex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2010-04-19 11:26 . 2010-04-19 11:26 -------- d-----w- c:\program files\Bonjour Print Services2010-04-19 11:26 . 2010-04-19 11:26 -------- d-----w- c:\program files\Bonjour2010-04-19 11:12 . 2010-04-19 11:12 3584 ----a-w- c:\windows\VIEWS.DAT2010-04-18 16:21 . 2010-04-18 16:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp2010-04-15 23:55 . 2010-04-15 23:55 75776 --sha-r- c:\windows\system32\ir41_32O.dll2010-04-02 09:53 . 2010-04-02 09:53 -------- d-----w- C:\7d8f10c5cf454becdd1afedc6a37.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-04-25 12:19 . 2006-12-25 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\CA2010-04-24 01:02 . 2006-12-26 04:59 766 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_227e16df.exe2010-04-24 01:02 . 2006-12-26 04:59 1094 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_73fa73b0.exe2010-04-24 01:02 . 2006-12-26 04:59 1078 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_46153a90.exe2010-04-24 01:02 . 2006-12-26 04:59 1078 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_39c351af.exe2010-04-24 01:02 . 2006-12-26 04:59 1078 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_227a6ce3.exe2010-04-22 10:53 . 2006-07-20 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information2010-04-21 14:46 . 2009-07-16 01:41 -------- d-----w- c:\program files\AVS4YOU2010-04-19 18:53 . 2008-09-05 11:02 -------- d-----w- c:\program files\Quicken2010-04-15 23:56 . 2009-10-18 16:52 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys2010-04-04 21:13 . 2006-12-07 15:32 -------- d-----w- c:\program files\Common Files\Java2010-04-04 21:12 . 2008-12-26 21:20 411368 ----a-w- c:\windows\system32\deploytk.dll2010-04-02 19:25 . 2009-10-19 18:42 -------- d-----w- c:\documents and settings\T Duprex\Application Data\Corel2010-03-30 04:46 . 2008-08-08 12:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-03-30 04:45 . 2008-08-08 12:38 20824 ----a-w- c:\windows\system32\drivers\mbam.sys2010-03-25 00:14 . 2010-03-25 00:14 91424 ----a-w- c:\windows\system32\dnssd.dll2010-03-25 00:14 . 2010-03-25 00:14 197920 ----a-w- c:\windows\system32\dnssdX.dll2010-03-25 00:14 . 2010-03-25 00:14 107808 ----a-w- c:\windows\system32\dns-sd.exe2010-03-10 06:15 . 2004-08-04 05:00 420352 ----a-w- c:\windows\system32\vbscript.dll2010-02-25 06:24 . 2006-03-04 03:58 916480 ----a-w- c:\windows\system32\wininet.dll2010-02-24 14:16 . 2009-10-02 22:31 181632 ------w- c:\windows\system32\MpSigStub.exe2010-02-24 13:11 . 2005-01-19 04:26 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr2010-02-16 14:08 . 2005-09-29 00:02 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe2010-02-16 13:25 . 2005-09-28 23:35 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe2010-02-12 04:33 . 2004-08-04 05:00 100864 ----a-w- c:\windows\system32\6to4svc.dll2010-02-11 12:02 . 2006-12-09 15:47 226880 ------w- c:\windows\system32\drivers\tcpip6.sys2010-01-28 04:35 . 2010-01-28 04:35 503808 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-296b9594-n\msvcp71.dll2010-01-28 04:35 . 2010-01-28 04:35 499712 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-296b9594-n\jmc.dll2010-01-28 04:35 . 2010-01-28 04:35 348160 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-296b9594-n\msvcr71.dll2010-01-28 04:35 . 2010-01-28 04:35 61440 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2315cb24-n\decora-sse.dll2010-01-28 04:35 . 2010-01-28 04:35 12800 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2315cb24-n\decora-d3d.dll2009-09-03 23:37 . 2009-09-03 23:37 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll2009-09-03 23:58 . 2009-09-03 23:58 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll2006-12-25 04:34 . 2006-12-25 04:34 5 --sha-w- c:\windows\system32\dedea9_g.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-28 7573504]"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]"nwiz"="nwiz.exe" [2006-04-28 1519616]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]c:\documents and settings\All Users\Start Menu\Programs\Startup\WinKey.lnk - g:\program files\Winkey\WinKey.exe [2007-1-26 99840][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 16:05 356352 ----a-w- g:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck pdboot.exe\0autocheck autochk *[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]@="Service"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTrayHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime TaskHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"PhotoShow Deluxe Media Manager"=c:\progra~1\Nero\data\Xtras\mssysmgr.exe"SUPERAntiSpyware"=g:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"eDataSecurity Loader"=c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe 0"eLockMonitor"=c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe"eRecoveryService"=c:\acer\Empowering Technology\eRecovery\eRAgent.exe"Acer Empowering Technology Monitor"=c:\windows\system32\SysMonitor.exe"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName"HotKeysCmds"=c:\windows\system32\hkcmd.exe"Persistence"=c:\windows\system32\igfxpers.exe"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC"LaunchApp"=Alaunch"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe""pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM"EPSON Stylus Photo 820 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820""Adobe Photo Downloader"="g:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe""iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe""AcronisTimounterMonitor"=c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe""Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe""Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe""TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot"TrueImageMonitor.exe"=c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe"cctray"="g:\program files\ca\etrust internet security suite\casc.exe"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"9999:UDP"= 9999:UDP:AdminWorks UDP Port"2804:TCP"= 2804:TCP:AdminWorks TCP PortR1 SASDIFSV;SASDIFSV;g:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 12:06 PM 8944]R1 SASKUTIL;SASKUTIL;g:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 55024]R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [4/21/2010 10:23 AM 1872320]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/23/2010 11:13 AM 135336]R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [12/7/2006 11:38 AM 17536]R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [12/7/2006 11:38 AM 90112]R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 10:19 PM 13592]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:56 PM 135664]S2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [12/7/2006 11:39 AM 81920]S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [8/6/2007 7:24 PM 39048]S3 SASENUM;SASENUM;g:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408]S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [9/20/2009 7:05 PM 11520].Contents of the 'Scheduled Tasks' folder2010-04-26 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-22 11:15]2010-04-26 c:\windows\Tasks\MP Scheduled Scan.job- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]..------- Supplementary Scan -------.uStart Page = about:blankuSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/uInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/search/?q=%sIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cabDPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cabFF - ProfilePath - c:\documents and settings\T Duprex\Application Data\Mozilla\Firefox\Profiles\38bduv9u.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1739.5352\npCIDetect13.dllFF - plugin: c:\program files\Google\Picasa3\npPicasa3.dllFF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);.- - - - ORPHANS REMOVED - - - -BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)**************************************************************************scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: **************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-133351039-1622961813-2181170887-1005\Software\Local AppWizard-Generated Applications\Launch Tool]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-133351039-1622961813-2181170887-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithProgids]@DACL=(02 0000)@SACL="Paint.Picture"=hex(0):"Photoshop.BMPFile"=hex(0):[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2A9FC36D-364D-4234-8C61-89B815492E9C}\TypeLib]@DACL=(02 0000)@SACL=@="{5084C91D-B702-4EA0-967D-727DF7007782}""Version"="7.0.0"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6EE4DCBB-CE99-4994-A12A-242CEBDD691C}\TypeLib]@DACL=(02 0000)@SACL=@="{DB877FF4-E68D-4A4F-8004-9F806CBE755B}""Version"="3.0.1"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{877883EB-56B2-4736-815E-1BA97B44D3E5}\TypeLib]@DACL=(02 0000)@SACL=@="{3822BDA0-196A-4728-8C33-9263D243FD96}""Version"="4.0.0"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{8C822816-06E7-4b2d-967B-7611B2AC9CC7}\TypeLib]@DACL=(02 0000)@SACL=@="{6ABA073A-5EEF-4CE0-8B42-E4815C4D4F05}""Version"="1.0.0"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{A698C8BC-E677-4030-8676-18FF0095C239}\TypeLib]@DACL=(02 0000)@SACL=@="{7F4DC91B-C08D-41E1-9FF3-DBEDE2EF1455}""Version"="3.0.8"[HKEY_LOCAL_MACHINE\software\muvee Technologies\030625]@DACL=(02 0000)@SACL=[HKEY_LOCAL_MACHINE\software\muvee Technologies\muvee SDK - NTI_5]@DACL=(02 0000)@SACL=[HKEY_LOCAL_MACHINE\software\NewTech Infosystems\NTI CD-MakerV7\OEMUrl]@DACL=(02 0000)@SACL="Home"="http://global.acer.com"[HKEY_LOCAL_MACHINE\software\Realtek Semiconductor Corp.\Realtek High Definition Audio Driver]@DACL=(02 0000)@SACL=.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(976)c:\windows\system32\GTGina.dllg:\program files\SUPERAntiSpyware\SASWINLO.dllc:\windows\system32\WININET.dll- - - - - - - > 'lsass.exe'(1040)c:\windows\system32\relog_ap.dll- - - - - - - > 'explorer.exe'(3556)c:\windows\system32\WININET.dllc:\windows\system32\nview.dllc:\progra~1\WINDOW~2\wmpband.dllc:\windows\system32\ieframe.dllc:\windows\system32\nvwddi.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.Completion time: 2010-04-26 07:22:26ComboFix-quarantined-files.txt 2010-04-26 11:22Pre-Run: 122,672,848,896 bytes freePost-Run: 122,633,785,344 bytes free- - End Of File - - 6328C1FE7B14B4E70D3306A5D6AC7E22 Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 26, 2010 Staff ID:239738 Share Posted April 26, 2010 Greetings I would like to know how the computer is doing now??Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..extra combofix reportI need to see one of the extra reports combofix makespush the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)please copy and past the following into the boxC:\Qoobox\ComboFix-quarantined-files.txtclick okcopy and paste the report into this topic for me to reviewuninstall some programs1. click on start2. then go to settings3. after that you need control panel4. look for the icon add/remove programsclick on the following programs J2SE Runtime Environment 5.0 Update 6Java Auto UpdaterJava Link to post Share on other sites More sharing options...
TD5 Posted April 27, 2010 Author ID:239832 Share Posted April 27, 2010 Gringo:I have provided the files you've asked for below but first let me update you on the problem. It has gone away since I purged my HOSTS file. Today I looked through my HOSTS file page by page. I found ten entries that had been commented out with the # sign which means they were not being screened out and sent to 170.0.0.1 I didn't comment out these entries. here are the entries. comments uninstall. bestoofersnetworks.com (disabled to allow unistall) www.bestoffernetworks.com [TROJ_NAIL.A]{disabled to allow uninstall] www.mypctuneup.com [disabled to allow uninstall] ads.viaarena.com i.i.com rcm.images.amazon.com images.viacomlocalnetworks.com ia.imdb.com images.chron.com lads.myspace.comI deleted all HOSTS entries after the 38.25.63.10 example entry in the beginning and reloaded/updated the HOSTS file from mvps hosts. I have tried over 20 times to reproduce the problem since I cleared the HOSTS file. It had not reappeared and I have not been able to make it happen.Is it a fair assumption to say that my computer is infected and that is still trying to do something but the HOSTS file is blocking it? ====================================================COMBOFIX REPORT:2010-04-26 11:21:32 . 2010-04-26 11:21:32 146 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}.reg.dat2010-04-26 11:21:24 . 2010-04-26 11:21:24 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98}.reg.dat2010-04-26 11:21:24 . 2010-04-26 11:21:24 200 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98}.reg.dat2010-04-26 11:21:23 . 2010-04-26 11:21:23 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed}.reg.dat2010-04-26 11:11:05 . 2010-04-26 11:19:47 7,534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg2010-04-26 11:06:25 . 2010-04-26 11:16:06 102 ----a-w- C:\Qoobox\Quarantine\catchme.log2006-12-07 15:34:01 . 2004-08-04 05:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir2005-09-14 01:56:00 . 2005-09-14 01:56:00 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\snetcfg.exe.vir2004-10-28 01:21:02 . 2004-10-28 01:21:02 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000012_.tmp.dll.vir2004-08-04 05:00:00 . 2004-08-04 05:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000007_.tmp.dll.vir2004-08-04 05:00:00 . 2004-08-04 05:00:00 111,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir2004-08-04 05:00:00 . 2004-08-04 05:00:00 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000011_.tmp.dll.vir=========================================================I uninstalled J2SE Runtime Environment, Java 6 Update 7, and did not remove Jave 6 Update 19I updated Java, I had to go to the Java webside. The coffee cup route would not let me update because it complained about not getting to the internet. I spent some time looking into, disabled the firewall and all options in Firefox and still had the problem so I went directly to the side downloaded installed and everything went okay.I then Deleted the files via the coffee cup/control panel route and it went okay.===========================================================TFCRan TFC, no problem=============================================================Ran Malwarebytes.the log is below. However, two of your instructions didn't make sense, or I'm missing something.In the 5th line down you say, " When the program is complete, click OK (no problem), Then Show Results to view the results (there was no "show results") the results poppep up automatically.then in the 6th line you say "Be sure everything is Checked (ticked) except items in the C:|System Volume information folder and click on Removed Selected. ???could not relate this to anything that malwarebytes was showing.MALBYTESWARE LOGMalwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 4041Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187024/26/2010 8:04:07 PMmbam-log-2010-04-26 (20-04-07).txtScan type: Quick scanObjects scanned: 113371Time elapsed: 4 minute(s), 56 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)=================================================================KASPERSKY SCANThe Kaspersy website is currently not offering a online scan while they are apparently updating it. So I went ahead and downloaded the trial version, installed, updated and ran it.It showed 0 for virus, trojan, malicious tools, adware, and riskware. I did a quick scan, and and objects scan.================================================================ Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 27, 2010 Staff ID:239988 Share Posted April 27, 2010 Hello TD5In the 5th line down you say, " When the program is complete, click OK (no problem), Then Show Results to view the results (there was no "show results") the results poppep up sometimes it don't popup so I have that in my instructions just in casethen in the 6th line you say "Be sure everything is Checked (ticked) except items in the C:|System Volume information folder and click on Removed Selected. ??? that means it did not find anything in system restore - which is goodThe Kaspersy website is currently not offering a online scan while they are apparently updating it. So I went ahead and downloaded the trial version, installed, updated and ran it. thanks for letting me know and also uninstall the trial as we don.t want two antiviruses runningIs it a fair assumption to say that my computer is infected and that is still trying to do something but the HOSTS file is blocking it? the malware changed the host file that is what was causing the redirects - we removed the malware so it could not rechange the host file back after you fixed itThe logs look good right now so I am going to give you my all clean - I will leave this open for a few days so if the redirects come back just come back here and let me know or if you have anymore problems let me know.The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. :Uninstall ComboFix:push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button) please copy and past the following into the box ComboFix /Uninstall and click OK. Note the space between the X and the /Uninstall, it needs to be there.:DeFogger:To re-enable your Emulation drivers, double click DeFogger to run the tool. The application window will appear Click the Re-enable button to re-enable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.Your Emulation drivers are now re-enabled.:Make your Internet Explorer more secure:please visit this page that gives instructions to do thishttp://surfthenetsafely.com/ieseczone8.htm:Turn On Automatic Updates:Turn On Automatic Updates1. Click Start, click Run, type sysdm.cpl, and then press ENTER. 2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule. or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.:antispyware programs:you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them alsoI would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines. please read this great article by miekiemoes How to prevent Malware:andthis great article by Tony Klein So How Did I Get Infected In First PlaceNow you have followed my advice - it's time to lodge a complaint against what you have suffered......... Malware Complaints If you were infected .... Stand Up and be Counted. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:Gringo Link to post Share on other sites More sharing options...
TD5 Posted April 27, 2010 Author ID:240045 Share Posted April 27, 2010 Gringo:The problem appears to have been resolved. In addition, my computer is booting faster and appears to be fasted on the internet. I'm still at a loss to understand what malware was found. You say, "we removed the malware so it could not rechange the host file back after you fixed it".Other than my initial scan with MalwareBytes that found several problems before I went for help on the malware removal forum, did any of the logs, tests, etc show that other problems were identified and corrected? Or did the original MalwareBytes scan/repair I did remove the problem malware but left the HOSTS file corrupted?In any event, I have followed your instructions and uninstalled Combofix, re-enabled Emulation drivers, Installed WinPatrol and Spyware Blaster. In order to install Kaspersy, I had to remove Windows Firewall, and Avira Anti-virus. I have no problem with closing the thread. Thank you for you assistance. Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 27, 2010 Staff ID:240159 Share Posted April 27, 2010 Hello TD5I'm still at a loss to understand what malware was found - in addition to what malwarebyts found before you came here there is also the below from the combofix log. the main one being in bold2006-12-07 15:34:01 . 2004-08-04 05:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir2005-09-14 01:56:00 . 2005-09-14 01:56:00 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\snetcfg.exe.vir2004-10-28 01:21:02 . 2004-10-28 01:21:02 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000012_.tmp.dll.vir2004-08-04 05:00:00 . 2004-08-04 05:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000007_.tmp.dll.vir2004-08-04 05:00:00 . 2004-08-04 05:00:00 111,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir2004-08-04 05:00:00 . 2004-08-04 05:00:00 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000011_.tmp.dll.virand Or did the original MalwareBytes scan/repair I did remove the problem malware but left the HOSTS file corrupted? and this is possible alsogringo Link to post Share on other sites More sharing options...
TD5 Posted April 27, 2010 Author ID:240368 Share Posted April 27, 2010 Gringo:One last set of questions. These files from the ComboFix.log that you noticed, are they still in my computer? Should I do anything with them? I see that they are in a quarantine folder somewhare. I tried to find them but couldn't, I looked at hidden and system files, they are not to be found. Have they been deleted by ComboFix?2006-12-07 15:34:01 . 2004-08-04 05:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir2005-09-14 01:56:00 . 2005-09-14 01:56:00 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\snetcfg.exe.vir2004-10-28 01:21:02 . 2004-10-28 01:21:02 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000012_.tmp.dll.vir2004-08-04 05:00:00 . 2004-08-04 05:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000007_.tmp.dll.vir2004-08-04 05:00:00 . 2004-08-04 05:00:00 111,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir2004-08-04 05:00:00 . 2004-08-04 05:00:00 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000011_.tmp.dll.virTom D. Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 28, 2010 Staff ID:240477 Share Posted April 28, 2010 Hello TD5when I had you uninstall combofix it removed these backups so they are no longer on your computer. That is why you could not find them. gringo Link to post Share on other sites More sharing options...
TD5 Posted April 28, 2010 Author ID:240702 Share Posted April 28, 2010 Hello TD5when I had you uninstall combofix it removed these backups so they are no longer on your computer. That is why you could not find them. gringoGringo:Just so I'm clear on this - What is the status of these threats: 1 Have they been removed?2 Are quarantined somewhere in my system? If so how do I get rid of them?TD5 Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 28, 2010 Staff ID:240964 Share Posted April 28, 2010 Yes they have been removed.gringo Link to post Share on other sites More sharing options...
TD5 Posted April 29, 2010 Author ID:241376 Share Posted April 29, 2010 Yes they have been removed.gringoThat's a wrap then. Thanks again for your help.Bye Link to post Share on other sites More sharing options...
Recommended Posts